Merge pull request #1197 from ethcore/x-frame
Disabling `ethcore` by default, adding x-frame-options header to dapps.
This commit is contained in:
Marek Kotewicz
commit
ee77fc3bc3
@ -38,11 +38,16 @@ pub fn utils() -> Box<Endpoint> {
|
|||||||
|
|
||||||
pub fn all_endpoints() -> Endpoints {
|
pub fn all_endpoints() -> Endpoints {
|
||||||
let mut pages = Endpoints::new();
|
let mut pages = Endpoints::new();
|
||||||
pages.insert("proxy".to_owned(), ProxyPac::boxed());
|
pages.insert("proxy".into(), ProxyPac::boxed());
|
||||||
|
|
||||||
|
// Home page needs to be safe embed
|
||||||
|
// because we use Cross-Origin LocalStorage.
|
||||||
|
// TODO [ToDr] Account naming should be moved to parity.
|
||||||
|
pages.insert("home".into(), Box::new(
|
||||||
|
PageEndpoint::new_safe_to_embed(parity_dapps_builtins::App::default())
|
||||||
|
));
|
||||||
insert::<parity_dapps_status::App>(&mut pages, "status");
|
insert::<parity_dapps_status::App>(&mut pages, "status");
|
||||||
insert::<parity_dapps_status::App>(&mut pages, "parity");
|
insert::<parity_dapps_status::App>(&mut pages, "parity");
|
||||||
insert::<parity_dapps_builtins::App>(&mut pages, "home");
|
|
||||||
|
|
||||||
wallet_page(&mut pages);
|
wallet_page(&mut pages);
|
||||||
daodapp_page(&mut pages);
|
daodapp_page(&mut pages);
|
||||||
|
|||||||
@ -30,6 +30,8 @@ pub struct PageEndpoint<T : WebApp + 'static> {
|
|||||||
pub app: Arc<T>,
|
pub app: Arc<T>,
|
||||||
/// Prefix to strip from the path (when `None` deducted from `app_id`)
|
/// Prefix to strip from the path (when `None` deducted from `app_id`)
|
||||||
pub prefix: Option<String>,
|
pub prefix: Option<String>,
|
||||||
|
/// Safe to be loaded in frame by other origin. (use wisely!)
|
||||||
|
safe_to_embed: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<T: WebApp + 'static> PageEndpoint<T> {
|
impl<T: WebApp + 'static> PageEndpoint<T> {
|
||||||
@ -37,6 +39,7 @@ impl<T: WebApp + 'static> PageEndpoint<T> {
|
|||||||
PageEndpoint {
|
PageEndpoint {
|
||||||
app: Arc::new(app),
|
app: Arc::new(app),
|
||||||
prefix: None,
|
prefix: None,
|
||||||
|
safe_to_embed: false,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -44,6 +47,18 @@ impl<T: WebApp + 'static> PageEndpoint<T> {
|
|||||||
PageEndpoint {
|
PageEndpoint {
|
||||||
app: Arc::new(app),
|
app: Arc::new(app),
|
||||||
prefix: Some(prefix),
|
prefix: Some(prefix),
|
||||||
|
safe_to_embed: false,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/// Creates new `PageEndpoint` which can be safely used in iframe
|
||||||
|
/// even from different origin. It might be dangerous (clickjacking).
|
||||||
|
/// Use wisely!
|
||||||
|
pub fn new_safe_to_embed(app: T) -> Self {
|
||||||
|
PageEndpoint {
|
||||||
|
app: Arc::new(app),
|
||||||
|
prefix: None,
|
||||||
|
safe_to_embed: true,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -61,6 +76,7 @@ impl<T: WebApp> Endpoint for PageEndpoint<T> {
|
|||||||
path: path,
|
path: path,
|
||||||
file: None,
|
file: None,
|
||||||
write_pos: 0,
|
write_pos: 0,
|
||||||
|
safe_to_embed: self.safe_to_embed,
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -83,6 +99,7 @@ struct PageHandler<T: WebApp + 'static> {
|
|||||||
path: EndpointPath,
|
path: EndpointPath,
|
||||||
file: Option<String>,
|
file: Option<String>,
|
||||||
write_pos: usize,
|
write_pos: usize,
|
||||||
|
safe_to_embed: bool,
|
||||||
}
|
}
|
||||||
|
|
||||||
impl<T: WebApp + 'static> PageHandler<T> {
|
impl<T: WebApp + 'static> PageHandler<T> {
|
||||||
@ -128,6 +145,9 @@ impl<T: WebApp + 'static> server::Handler<HttpStream> for PageHandler<T> {
|
|||||||
if let Some(f) = self.file.as_ref().and_then(|f| self.app.file(f)) {
|
if let Some(f) = self.file.as_ref().and_then(|f| self.app.file(f)) {
|
||||||
res.set_status(StatusCode::Ok);
|
res.set_status(StatusCode::Ok);
|
||||||
res.headers_mut().set(header::ContentType(f.content_type.parse().unwrap()));
|
res.headers_mut().set(header::ContentType(f.content_type.parse().unwrap()));
|
||||||
|
if !self.safe_to_embed {
|
||||||
|
res.headers_mut().set_raw("X-Frame-Options", vec![b"SAMEORIGIN".to_vec()]);
|
||||||
|
}
|
||||||
Next::write()
|
Next::write()
|
||||||
} else {
|
} else {
|
||||||
res.set_status(StatusCode::NotFound);
|
res.set_status(StatusCode::NotFound);
|
||||||
@ -192,6 +212,7 @@ fn should_extract_path_with_appid() {
|
|||||||
},
|
},
|
||||||
file: None,
|
file: None,
|
||||||
write_pos: 0,
|
write_pos: 0,
|
||||||
|
safe_to_embed: true,
|
||||||
};
|
};
|
||||||
|
|
||||||
// when
|
// when
|
||||||
|
|||||||
@ -76,13 +76,13 @@ API and Console Options:
|
|||||||
interface. APIS is a comma-delimited list of API
|
interface. APIS is a comma-delimited list of API
|
||||||
name. Possible name are web3, eth, net, personal,
|
name. Possible name are web3, eth, net, personal,
|
||||||
ethcore, traces.
|
ethcore, traces.
|
||||||
[default: web3,eth,net,personal,ethcore,traces].
|
[default: web3,eth,net,personal,traces].
|
||||||
|
|
||||||
--ipc-off Disable JSON-RPC over IPC service.
|
--ipc-off Disable JSON-RPC over IPC service.
|
||||||
--ipc-path PATH Specify custom path for JSON-RPC over IPC service
|
--ipc-path PATH Specify custom path for JSON-RPC over IPC service
|
||||||
[default: $HOME/.parity/jsonrpc.ipc].
|
[default: $HOME/.parity/jsonrpc.ipc].
|
||||||
--ipc-apis APIS Specify custom API set available via JSON-RPC over
|
--ipc-apis APIS Specify custom API set available via JSON-RPC over
|
||||||
IPC [default: web3,eth,net,personal,ethcore].
|
IPC [default: web3,eth,net,personal,traces].
|
||||||
|
|
||||||
--dapps-off Disable the Dapps server (e.g. status page).
|
--dapps-off Disable the Dapps server (e.g. status page).
|
||||||
--dapps-port PORT Specify the port portion of the Dapps server
|
--dapps-port PORT Specify the port portion of the Dapps server
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user