Nemcio/Gogs
1
0
Fork 0
mirror of https://github.com/gogs/gogs.git synced 2026-03-03 18:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

context: add X-Frame-Options header (#6411)

Browse Source 
Co-authored-by: ᴜɴᴋɴᴡᴏɴ <u@gogs.io>
# Conflicts:
#	CHANGELOG.md
This commit is contained in:
Matheus Mosca
2020-11-11 01:17:43 -03:00
committed by ᴜɴᴋɴᴡᴏɴ
parent f0e3cd90f8
commit eb3386c4aa
2 changed files with 21 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
CHANGELOG.md
View File

@@ -7,6 +7,7 @@ All notable changes to Gogs are documented in this file.
### Added
- An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
- Add new configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
### Changed
@@ -16,13 +17,7 @@ All notable changes to Gogs are documented in this file.
### Fixed
- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409)
### Removed
@@ -31,7 +26,6 @@ All notable changes to Gogs are documented in this file.
- Configuration section `[service]` is no longer used.
- Configuration option `APP_NAME` is no longer used.
- Configuration option `[security] REVERSE_PROXY_AUTHENTICATION_USER` is no longer used.
- Configuration option `[database] PASSWD` is no longer used.
- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is no longer used.
- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is no longer used.
- Configuration option `[auth] ENABLE_CAPTCHA` is no longer used.
@@ -44,6 +38,23 @@ All notable changes to Gogs are documented in this file.
- Configuration option `[database] DB_TYPE` is no longer used.
- Configuration option `[database] PASSWD` is no longer used.
## 0.12.3
### Fixed
- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
## 0.12.2
### Fixed
- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
## 0.12.1
### Fixed
@@ -81,6 +92,7 @@ All notable changes to Gogs are documented in this file.
- Configuration section `[service]` is deprecated and will end support in 0.13.0, please start using `[auth]`.
- Configuration option `[auth] ACTIVE_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] ACTIVATE_CODE_LIVES`.
- Configuration option `[auth] RESET_PASSWD_CODE_LIVE_MINUTES` is deprecated and will end support in 0.13.0, please start using `[auth] RESET_PASSWORD_CODE_LIVES`.
- Configuration option `[auth] REGISTER_EMAIL_CONFIRM` is deprecated and will end support in 0.13.0, please start using `[auth] REQUIRE_EMAIL_CONFIRMATION`.
- Configuration option `[auth] ENABLE_CAPTCHA` is deprecated and will end support in 0.13.0, please start using `[auth] ENABLE_REGISTRATION_CAPTCHA`.
- Configuration option `[auth] ENABLE_NOTIFY_MAIL` is deprecated and will end support in 0.13.0, please start using `[user] ENABLE_EMAIL_NOTIFICATION`.
- Configuration option `[session] GC_INTERVAL_TIME` is deprecated and will end support in 0.13.0, please start using `[session] GC_INTERVAL`.

1
internal/context/context.go
View File

@@ -290,6 +290,7 @@ func Contexter() macaron.Handler {
// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
// see https://github.com/gogs/gogs/issues/5397 for details.
c.Header().Set("X-Content-Type-Options", "nosniff")
c.Header().Set("X-Frame-Options", "DENY")
ctx.Map(c)
}