Add xFrameOptions to apps and routes
This commit is contained in:
Johannes Zellner
@@ -262,6 +262,7 @@ function getAppConfig(app) {
|
||||
accessRestriction: app.accessRestriction,
|
||||
portBindings: app.portBindings,
|
||||
memoryLimit: app.memoryLimit,
|
||||
xFrameOptions: app.xFrameOptions,
|
||||
altDomain: app.altDomain
|
||||
};
|
||||
}
|
||||
@@ -541,6 +542,12 @@ function configure(appId, data, auditSource, callback) {
|
||||
values.memoryLimit = values.memoryLimit || app.memoryLimit || app.manifest.memoryLimit || constants.DEFAULT_MEMORY_LIMIT;
|
||||
}
|
||||
|
||||
if ('xFrameOptions' in data) {
|
||||
values.xFrameOptions = data.xFrameOptions;
|
||||
error = validateXFrameOptions(values.xFrameOptions);
|
||||
if (error) return callback(error);
|
||||
}
|
||||
|
||||
// save cert to data/box/certs. TODO: move this to apptask when we have a real task queue
|
||||
if ('cert' in data && 'key' in data) {
|
||||
if (data.cert && data.key) {
|
||||
@@ -782,6 +789,7 @@ function clone(appId, data, auditSource, callback) {
|
||||
installationState: appdb.ISTATE_PENDING_CLONE,
|
||||
memoryLimit: app.memoryLimit,
|
||||
accessRestriction: app.accessRestriction,
|
||||
xFrameOptions: app.xFrameOptions,
|
||||
lastBackupId: backupId
|
||||
};
|
||||
|
||||
|
||||
+1
-1
@@ -75,7 +75,7 @@ function configureApp(app, certFilePath, keyFilePath, callback) {
|
||||
endpoint: endpoint,
|
||||
certFilePath: certFilePath,
|
||||
keyFilePath: keyFilePath,
|
||||
xFrameOptions: app.xFrameOptions || 'SAMEORIGIN'
|
||||
xFrameOptions: app.xFrameOptions || 'SAMEORIGIN' // once all apps have been updated/
|
||||
};
|
||||
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
|
||||
|
||||
|
||||
+5
-1
@@ -53,7 +53,8 @@ function removeInternalAppFields(app) {
|
||||
iconUrl: app.iconUrl,
|
||||
fqdn: app.fqdn,
|
||||
memoryLimit: app.memoryLimit,
|
||||
altDomain: app.altDomain
|
||||
altDomain: app.altDomain,
|
||||
xFrameOptions: app.xFrameOptions
|
||||
};
|
||||
}
|
||||
|
||||
@@ -120,6 +121,8 @@ function installApp(req, res, next) {
|
||||
// falsy value in altDomain unsets it
|
||||
if (data.altDomain && typeof data.altDomain !== 'string') return next(new HttpError(400, 'altDomain must be a string'));
|
||||
|
||||
if (data.xFrameOptions && typeof data.xFrameOptions !== 'string') return next(new HttpError(400, 'xFrameOptions must be a string'));
|
||||
|
||||
debug('Installing app id:%s data:%j', data);
|
||||
|
||||
apps.install(data, auditSource(req), function (error, app) {
|
||||
@@ -155,6 +158,7 @@ function configureApp(req, res, next) {
|
||||
|
||||
if ('memoryLimit' in data && typeof data.memoryLimit !== 'number') return next(new HttpError(400, 'memoryLimit is not a number'));
|
||||
if (data.altDomain && typeof data.altDomain !== 'string') return next(new HttpError(400, 'altDomain must be a string'));
|
||||
if (data.xFrameOptions && typeof data.xFrameOptions !== 'string') return next(new HttpError(400, 'xFrameOptions must be a string'));
|
||||
|
||||
debug('Configuring app id:%s data:%j', req.params.id, data);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user