From f88adb91808a25ed18e6e5d1839c708fe153bf35 Mon Sep 17 00:00:00 2001 From: Kevin Ansfield Date: Tue, 28 May 2019 09:04:48 +0100 Subject: [PATCH] Added x-frame-options header to /ghost/ route (#10760) no issue - by default the `/ghost/` route will add an `x-frame-options: sameorigin` header to the response to help protect the admin area against clickjacking - the header can be disabled by adding `"adminFrameProtection": false` to the `config.{env}.json` configuration file Credits: Muhammad Fawwad Obaida --- core/server/config/defaults.json | 1 + core/server/web/admin/controller.js | 7 +++- core/test/unit/web/admin/controller_spec.js | 45 +++++++++++++++++++++ 3 files changed, 52 insertions(+), 1 deletion(-) create mode 100644 core/test/unit/web/admin/controller_spec.js diff --git a/core/server/config/defaults.json b/core/server/config/defaults.json index 35d7789bbf..8f25c25399 100644 --- a/core/server/config/defaults.json +++ b/core/server/config/defaults.json @@ -94,5 +94,6 @@ }, "compress": true, "preloadHeaders": false, + "adminFrameProtection": true, "sendWelcomeEmail": true } diff --git a/core/server/web/admin/controller.js b/core/server/web/admin/controller.js index b05f1f4990..b13c47f09b 100644 --- a/core/server/web/admin/controller.js +++ b/core/server/web/admin/controller.js @@ -23,6 +23,11 @@ module.exports = function adminController(req, res) { const defaultTemplate = config.get('env') === 'production' ? 'default-prod.html' : 'default.html'; const templatePath = path.resolve(config.get('paths').adminViews, defaultTemplate); + const headers = {}; - res.sendFile(templatePath); + if (config.get('adminFrameProtection')) { + headers['X-Frame-Options'] = 'sameorigin'; + } + + res.sendFile(templatePath, {headers}); }; diff --git a/core/test/unit/web/admin/controller_spec.js b/core/test/unit/web/admin/controller_spec.js new file mode 100644 index 0000000000..ca3af3ef5b --- /dev/null +++ b/core/test/unit/web/admin/controller_spec.js @@ -0,0 +1,45 @@ +require('should'); +const sinon = require('sinon'); +const configUtils = require('../../../utils/configUtils'); +const controller = require('../../../../server/web/admin/controller'); + +describe('Admin App', function () { + describe('controller', function () { + const req = {}; + let res; + + beforeEach(function () { + res = { + sendFile: sinon.spy() + }; + + configUtils.restore(); + }); + + afterEach(function () { + sinon.restore(); + }); + + it('adds x-frame-options header when adminFrameProtection is enabled (default)', function () { + // default config: configUtils.set('adminFrameProtection', true); + controller(req, res); + + res.sendFile.called.should.be.true(); + res.sendFile.calledWith( + sinon.match.string, + sinon.match.hasNested('headers.X-Frame-Options', sinon.match('sameorigin')) + ).should.be.true(); + }); + + it('doesn\'t add x-frame-options header when adminFrameProtection is disabled', function () { + configUtils.set('adminFrameProtection', false); + controller(req, res); + + res.sendFile.called.should.be.true(); + res.sendFile.calledWith( + sinon.match.string, + sinon.match.hasNested('headers.X-Frame-Options') + ).should.be.false(); + }); + }); +});