Remove obsolete dapps and update security headers (#2694)

* Embed allowed only on signer port

* Adding security headers to dapps

* Adding security headers to signer

* Removing old dapps

signer/src/tests/mod.rs

@@ -81,6 +81,7 @@ fn should_reject_invalid_host() {
 	// then
 	assert_eq!(response.status, "HTTP/1.1 403 FORBIDDEN".to_owned());
 	assert!(response.body.contains("URL Blocked"));
+	http_client::assert_security_headers_present(&response.headers);
 }
 
 #[test]
@@ -101,6 +102,7 @@ fn should_serve_styles_even_on_disallowed_domain() {
 
 	// then
 	assert_eq!(response.status, "HTTP/1.1 200 OK".to_owned());
+	http_client::assert_security_headers_present(&response.headers);
 }
 
 #[test]
@@ -124,6 +126,7 @@ fn should_block_if_authorization_is_incorrect() {
 
 	// then
 	assert_eq!(response.status, "HTTP/1.1 403 FORBIDDEN".to_owned());
+	http_client::assert_security_headers_present(&response.headers);
 }
 
 #[test]
@@ -202,4 +205,5 @@ fn should_allow_initial_connection_but_only_once() {
 	// then
 	assert_eq!(response1.status, "HTTP/1.1 101 Switching Protocols".to_owned());
 	assert_eq!(response2.status, "HTTP/1.1 403 FORBIDDEN".to_owned());
+	http_client::assert_security_headers_present(&response2.headers);
 }

signer/src/ws_server/session.rs

@@ -112,6 +112,8 @@ fn add_headers(mut response: ws::Response, mime: &str) -> ws::Response {
 	{
 		let mut headers = response.headers_mut();
 		headers.push(("X-Frame-Options".into(), b"SAMEORIGIN".to_vec()));
+		headers.push(("X-XSS-Protection".into(), b"1; mode=block".to_vec()));
+		headers.push(("X-Content-Type-Options".into(), b"nosniff".to_vec()));
 		headers.push(("Server".into(), b"Parity/SignerUI".to_vec()));
 		headers.push(("Content-Length".into(), content_len.as_bytes().to_vec()));
 		headers.push(("Content-Type".into(), mime.as_bytes().to_vec()));