add X-Frame-Options to console headers

apps/i2psnark/java/src/org/klomp/snark/web/I2PSnarkServlet.java

@@ -148,6 +148,7 @@ public class I2PSnarkServlet extends DefaultServlet {
         _imgPath = _themePath + "images/";
         // this is the part after /i2psnark
         String path = req.getServletPath();
+        resp.setHeader("X-Frame-Options", "SAMEORIGIN");
 
         // AJAX for mainsection
         if ("/.ajax/xhr1.html".equals(path)) {

apps/i2ptunnel/jsp/edit.jsp

@@ -1,6 +1,8 @@
 <%
     // NOTE: Do the header carefully so there is no whitespace before the <?xml... line
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"

apps/i2ptunnel/jsp/index.jsp

@@ -5,6 +5,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %><%@page pageEncoding="UTF-8"
 %><%@page trimDirectiveWhitespaces="true"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.IndexBean"

apps/i2ptunnel/jsp/wizard.jsp

@@ -5,6 +5,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %><%@page pageEncoding="UTF-8"
 %><%@page contentType="text/html" import="net.i2p.i2ptunnel.web.EditBean"
 %><?xml version="1.0" encoding="UTF-8"?>

apps/routerconsole/java/src/net/i2p/router/web/CSSHelper.java

@@ -19,6 +19,7 @@ public class CSSHelper extends HelperBase {
     private static final String FORCE = "classic";
     public static final String PROP_REFRESH = "routerconsole.summaryRefresh";
     public static final String DEFAULT_REFRESH = "60";
+    private static final String PROP_XFRAME = "routerconsole.disableXFrame";
 
     public String getTheme(String userAgent) {
         String url = BASE_THEME_PATH;
@@ -58,6 +59,15 @@ public class CSSHelper extends HelperBase {
             NewsFetcher.getInstance(_context).showNews(val.equals("1"));
     }
 
+    /**
+     *  Should we send X_Frame_Options=SAMEORIGIN
+     *  Default true
+     *  @since 0.9.1
+     */
+    public boolean shouldSendXFrame() {
+        return !_context.getBooleanProperty(PROP_XFRAME);
+    }
+
     /** change refresh and save it */
     public void setRefresh(String r) {
         _context.router().saveConfig(PROP_REFRESH, r);

apps/routerconsole/jsp/css.jsi

@@ -29,6 +29,10 @@
 <jsp:useBean class="net.i2p.router.web.CSSHelper" id="intl" scope="request" />
 <jsp:setProperty name="intl" property="contextId" value="<%=(String)session.getAttribute(\"i2p.contextId\")%>" />
 <%
+   // clickjacking
+   if (intl.shouldSendXFrame())
+      response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
    String conNonceParam = request.getParameter("consoleNonce");
    if (conNonceParam != null && conNonceParam.equals(System.getProperty("router.consoleNonce"))) {
        intl.setLang(request.getParameter("lang"));

apps/susidns/src/jsp/addressbook.jsp

@@ -27,6 +27,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>

apps/susidns/src/jsp/config.jsp

@@ -27,6 +27,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>

apps/susidns/src/jsp/details.jsp

@@ -24,6 +24,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>

apps/susidns/src/jsp/index.jsp

@@ -27,6 +27,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>

apps/susidns/src/jsp/subscriptions.jsp

@@ -27,6 +27,8 @@
     if (request.getCharacterEncoding() == null)
         request.setCharacterEncoding("UTF-8");
 
+    response.setHeader("X-Frame-Options", "SAMEORIGIN");
+
 %>
 <%@page pageEncoding="UTF-8"%>
 <%@page trimDirectiveWhitespaces="true"%>

apps/susimail/src/src/i2p/susi/webmail/WebMail.java

@@ -1185,6 +1185,7 @@ public class WebMail extends HttpServlet
 	{
 		httpRequest.setCharacterEncoding("UTF-8");
 		response.setCharacterEncoding("UTF-8");
+                response.setHeader("X-Frame-Options", "SAMEORIGIN");
 		RequestWrapper request = new RequestWrapper( httpRequest );
 		
 		SessionObject sessionObject = null;

history.txt

@@ -1,3 +1,7 @@
+2012-05-13 zzz
+ * Console: Add X-Frame-Options to headers,
+   disable with routerconsole.disableXFrame=true
+
 * 2012-05-02 0.9 released
 
 2012-04-26 kytv

router/java/src/net/i2p/router/RouterVersion.java

@@ -18,7 +18,7 @@ public class RouterVersion {
     /** deprecated */
     public final static String ID = "Monotone";
     public final static String VERSION = CoreVersion.VERSION;
-    public final static long BUILD = 0;
+    public final static long BUILD = 1;
 
     /** for example "-test" */
     public final static String EXTRA = "";