Introduce X-Frame-Origin header
Change-Id: Ia9b66297c68f819b26158c79fb2da6572c784898
diff --git a/Changes b/Changes
index 654f992..f0b921a 100755
--- a/Changes
+++ b/Changes
@@ -1,4 +1,4 @@
-0.41 2021-01-27
+0.41 2021-01-28
- Introduce CORS headers to the proxy.
- Introduce Content Security Policy.
- Remove default api endpoint from config to
@@ -12,6 +12,7 @@
- Introduce HSTS header for https_only conf.
- Send 'nosniff' header.
- defer main script.
+ - Introduce X-Frame-Options header.
0.40 2020-12-17
- Modernize ES and fix in-loops.
diff --git a/lib/Kalamar.pm b/lib/Kalamar.pm
index 8efd919..a7c360b 100644
--- a/lib/Kalamar.pm
+++ b/lib/Kalamar.pm
@@ -112,6 +112,7 @@
before_dispatch => sub {
my $h = shift->res->headers;
$h->header('X-Content-Type-Options' => 'nosniff');
+ $h->header('X-Frame-Options' => 'sameorigin');
$h->header(
'Access-Control-Allow-Methods' =>
$h->header('Access-Control-Allow-Methods') // 'GET, POST, OPTIONS'
diff --git a/t/page.t b/t/page.t
index 88479f5..c9bce7f 100644
--- a/t/page.t
+++ b/t/page.t
@@ -33,6 +33,7 @@
->content_like(qr/document\.body\.classList\.remove\(\'no-js\'\);/)
->header_is('X-Content-Type-Options', 'nosniff')
->header_is('Access-Control-Allow-Methods','GET, POST, OPTIONS')
+ ->header_is('X-Frame-Options', 'sameorigin')
;
# Test additions