From: Felix Dörre <felix@dogcraft.de>
Date: Sun, 29 Jun 2014 14:31:43 +0000 (+0200)
Subject: Do simple XSS Header protection.
X-Git-Url: https://code.wpia.club/?p=gigi.git;a=commitdiff_plain;h=1678385c9dc9d133aa5952da5033f7a652737f3f;ds=sidebyside

Do simple XSS Header protection.
---

diff --git a/src/org/cacert/gigi/Gigi.java b/src/org/cacert/gigi/Gigi.java
index 54043358..551c9be0 100644
--- a/src/org/cacert/gigi/Gigi.java
+++ b/src/org/cacert/gigi/Gigi.java
@@ -73,6 +73,11 @@ public class Gigi extends HttpServlet {
 	@Override
 	protected void service(HttpServletRequest req, HttpServletResponse resp)
 			throws ServletException, IOException {
+		addXSSHeaders(resp);
+		if (req.getHeader("Origin") != null) {
+			resp.getWriter().println("No cross domain access allowed.");
+			return;
+		}
 		HttpSession hs = req.getSession();
 		if (req.getPathInfo() != null && req.getPathInfo().equals("/logout")) {
 			if (hs != null) {
@@ -142,5 +147,12 @@ public class Gigi extends HttpServlet {
 		in = in.replaceAll("\\$year\\$", year + "");
 		return in;
 	}
+	public static void addXSSHeaders(HttpServletResponse hsr) {
+		hsr.addHeader("Access-Control-Allow-Origin",
+				"http://cacert.org https://localhost");
+		hsr.addHeader("Access-Control-Max-Age", "60");
+		// hsr.addHeader("Content-Security-Policy",
+		// "default-src 'self'; report-uri https://felix.dogcraft.de/report.php");
 
+	}
 }