context: add X-Frame-Options header (#6411)

matheusmosca · unknwon · mpsonntag · commit 16f5c7139303 · 2020-12-02T16:44:00.000+01:00
Co-authored-by: ᴜɴᴋɴᴡᴏɴ &lt;u@gogs.io&gt;
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to Gogs are documented in this file.
 ### Added
 
 - An unlisted option is added when create or migrate a repository. Unlisted repositories are public but not being listed for users without direct access in the UI. [#5733](https://github.com/gogs/gogs/issues/5733)
+- Add new configuration option `[git.timeout] DIFF` for customizing operation timeout of `git diff`. [#6315](https://github.com/gogs/gogs/issues/6315)
 
 ### Changed
 
@@ -16,13 +17,7 @@ All notable changes to Gogs are documented in this file.
 
 ### Fixed
 
-- _Regression:_ Pages are correctly rendered when requesting `?go-get=1` for subdirectories. [#6314](https://github.com/gogs/gogs/issues/6314)
-- _Regression:_ Submodule with a relative path is linked correctly. [#6319](https://github.com/gogs/gogs/issues/6319)
-- Backup can be processed when `--target` is specified on Windows. [#6339](https://github.com/gogs/gogs/issues/6339)
-- Commit message contains keywords look like an issue reference no longer fails the push entirely. [#6289](https://github.com/gogs/gogs/issues/6289)
-- _Regression:_ When running Gogs on Windows, push commits no longer fail on a daily basis with the error "pre-receive hook declined". [#6316](https://github.com/gogs/gogs/issues/6316)
-- Auto-linked commit SHAs now have correct links. [#6300](https://github.com/gogs/gogs/issues/6300)
-- Git LFS client (with version >= 2.5.0) wasn't able to upload files with known format (e.g. PNG, JPEG), and the server is expecting the HTTP Header `Content-Type` to be `application/octet-stream`. The server now tells the LFS client to always use `Content-Type: application/octet-stream` when upload files.
+- Add `X-Frame-Options` header to prevent Clickjacking. [#6409](https://github.com/gogs/gogs/issues/6409) 
 
 ### Removed
 
diff --git a/internal/context/context.go b/internal/context/context.go
@@ -291,6 +291,7 @@ func Contexter() macaron.Handler {
 		// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,
 		// see https://github.com/gogs/gogs/issues/5397 for details.
 		c.Header().Set("X-Content-Type-Options", "nosniff")
+		c.Header().Set("X-Frame-Options", "DENY")
 
 		ctx.Map(c)
 	}

Original file line number	Diff line number	Diff line change
`@@ -291,6 +291,7 @@ func Contexter() macaron.Handler {`
`291`	`291`	`// 🚨 SECURITY: Prevent MIME type sniffing in some browsers,`
`292`	`292`	`// see https://github.com/gogs/gogs/issues/5397 for details.`
`293`	`293`	`c.Header().Set("X-Content-Type-Options", "nosniff")`
	`294`	`+ c.Header().Set("X-Frame-Options", "DENY")`
`294`	`295`
`295`	`296`	`ctx.Map(c)`
`296`	`297`	`}`