Blanket X-Frame-Options: SAMEORIGIN policy.

Thanks to /u/saurabh_nemade for bringing a content extraction redressing technique to our attention.
2026-04-05 03:00:15 -04:00 · 2013-10-30 14:09:12 -07:00
parent bb8f4b1b57
commit e76936aae3
4 changed files with 9 additions and 17 deletions
--- a/r2/r2/controllers/front.py
+++ b/r2/r2/controllers/front.py
@@ -27,7 +27,7 @@ from r2.controllers.reddit_base import (
    pagecache_policy,
    PAGECACHE_POLICY,
    paginated_listing,
-    prevent_framing_and_css,
+    disable_subreddit_css,
    RedditController,
 )
 from r2 import config
@@ -127,7 +127,7 @@ class FrontController(RedditController, OAuth2ResourceController):
        else:
            return self.redirect(add_sr('/'))

-    @prevent_framing_and_css()
+    @disable_subreddit_css()
    @validate(VAdmin(),
              thing=VByName('article'),
              oldid36=nop('article'),
@@ -450,7 +450,7 @@ class FrontController(RedditController, OAuth2ResourceController):
    modname_splitter = re.compile('[ ,]+')

    @require_oauth2_scope("modlog")
-    @prevent_framing_and_css(allow_cname_frame=True)
+    @disable_subreddit_css()
    @paginated_listing(max_page_size=500, backend='cassandra')
    @validate(
        mod=nop('mod', docs={"mod": "(optional) a moderator filter"}),
@@ -679,7 +679,7 @@ class FrontController(RedditController, OAuth2ResourceController):
                          extension_handling=False).render()

    @base_listing
-    @prevent_framing_and_css(allow_cname_frame=True)
+    @disable_subreddit_css()
    @validate(VSrModerator(perms='posts'),
              location=nop('location'),
              only=VOneOf('only', ('links', 'comments')))
@@ -704,7 +704,7 @@ class FrontController(RedditController, OAuth2ResourceController):
                          extension_handling=extension_handling).render()

    @base_listing
-    @prevent_framing_and_css(allow_cname_frame=True)
+    @disable_subreddit_css()
    @validate(VSrModerator(perms='flair'),
              name=nop('name'))
    def GET_flairlisting(self, num, after, reverse, count, name):
@@ -719,7 +719,7 @@ class FrontController(RedditController, OAuth2ResourceController):
        pane = FlairPane(num, after, reverse, name, user)
        return EditReddit(content=pane, location='flair').render()

-    @prevent_framing_and_css(allow_cname_frame=True)
+    @disable_subreddit_css()
    @validate(location=nop('location'),
              created=VOneOf('created', ('true','false'),
                             default='false'))
@@ -1260,7 +1260,7 @@ class FormsController(RedditController):
        return BoringPage(_("reset password"),
                          content=ResetPassword(key=key, done=done)).render()

-    @prevent_framing_and_css()
+    @disable_subreddit_css()
    @validate(VUser(),
              location=nop("location"),
              verified=VBoolean("verified"))
@@ -1337,7 +1337,6 @@ class FormsController(RedditController):
        if not c.user.name in g.admins:
            return self.abort404()

-        c.deny_frames = True
        return AdminModeInterstitial(dest=dest).render()

    @validate(VAdmin(),
--- a/r2/r2/controllers/oauth2.py
+++ b/r2/r2/controllers/oauth2.py
@@ -113,7 +113,6 @@ class OAuth2FrontendController(RedditController):
        self._check_redirect_uri(client, redirect_uri)

        if not c.errors:
-            c.deny_frames = True
            return OAuth2AuthorizationPage(client, redirect_uri, scope, state,
                                           duration).render()
        else:
--- a/r2/r2/controllers/reddit_base.py
+++ b/r2/r2/controllers/reddit_base.py
@@ -667,13 +667,11 @@ def require_https():
    if not c.secure:
        abort(ForbiddenError(errors.HTTPS_REQUIRED))

-def prevent_framing_and_css(allow_cname_frame=False):
+def disable_subreddit_css():
    def wrap(f):
        @wraps(f)
        def no_funny_business(*args, **kwargs):
            c.allow_styles = False
-            if not (allow_cname_frame and c.cname and not c.authorized_cname):
-                c.deny_frames = True
            return f(*args, **kwargs)
        return no_funny_business
    return wrap
@@ -818,8 +816,7 @@ class MinimalController(BaseController):
            response.headers['Cache-Control'] = 'no-cache'
            response.headers['Pragma'] = 'no-cache'

-        if c.deny_frames:
-            response.headers["X-Frame-Options"] = "DENY"
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"

        # save the result of this page to the pagecache if possible.  we
        # mustn't cache things that rely on state not tracked by request_key
--- a/r2/r2/templates/reddit.html
+++ b/r2/r2/templates/reddit.html
@@ -114,9 +114,6 @@
 <%def name="javascript()">
  <% from r2.lib import js %>
  ${unsafe(js.use('jquery', 'reddit-init'))}
-  % if c.deny_frames:
-    <script>if (window != top) top.location = window.location</script>
-  % endif
  <!--[if lt IE 9]>
    ${unsafe(js.use('html5shiv'))}
  <![endif]-->