Add X-Frame-Options to WebUI pages.

chrome/browser/ui/webui/chrome_url_data_manager_backend.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/chrome_url_data_manager_backend.h"
 
 #include <set>
 
 #include "base/basictypes.h"
 #include "base/bind.h"
@@ skipping 108 matching lines @@
         g_chrome_url_content_security_policy_object_tag_set.Pointer();
 
     base.append(object_tag_set->find(url.host()) == object_tag_set->end() ?
                 "object-src 'none';" :
                 "object-src 'self';");
 
     headers->AddHeader(base);
   }
 }
 
+const char kChromeURLXFrameOptionsHeader[] = "X-Frame-Options: DENY";
+
+// It is OK to add exceptions to this set as needed.
+class ChromeURLXFrameOptionsExceptionSet
+    : public std::set<std::string> {
+ public:
+  ChromeURLXFrameOptionsExceptionSet() : std::set<std::string>() {
+    insert(chrome::kChromeUIExtensionsFrameHost);
+    insert(chrome::kChromeUIHelpFrameHost);
+    insert(chrome::kChromeUIHistoryFrameHost);
+    insert(chrome::kChromeUISettingsFrameHost);
+    insert(chrome::kChromeUIUberFrameHost);
+  }
+};
+
+base::LazyInstance<ChromeURLXFrameOptionsExceptionSet>
+    g_chrome_url_x_frame_options_exception_set = LAZY_INSTANCE_INITIALIZER;
+
+void AddXFrameOptionsHeader(
+    const GURL& url, net::HttpResponseHeaders* headers) {
+  ChromeURLXFrameOptionsExceptionSet* exceptions =
+      g_chrome_url_x_frame_options_exception_set.Pointer();
+  if (exceptions->find(url.host()) == exceptions->end())
+    headers->AddHeader(kChromeURLXFrameOptionsHeader);
+}
+
 // Parse a URL into the components used to resolve its request. |source_name|
 // is the hostname and |path| is the remaining portion of the URL.
 void URLToRequest(const GURL& url, std::string* source_name,
                   std::string* path) {
   DCHECK(url.SchemeIs(chrome::kChromeDevToolsScheme) ||
          url.SchemeIs(chrome::kChromeUIScheme));
 
   if (!url.is_valid()) {
     NOTREACHED();
     return;
@@ skipping 119 matching lines @@
   return !mime_type_.empty();
 }
 
 void URLRequestChromeJob::GetResponseInfo(net::HttpResponseInfo* info) {
   DCHECK(!info->headers);
   // Set the headers so that requests serviced by ChromeURLDataManager return a
   // status code of 200. Without this they return a 0, which makes the status
   // indistiguishable from other error types. Instant relies on getting a 200.
   info->headers = new net::HttpResponseHeaders("HTTP/1.1 200 OK");
   AddContentSecurityPolicyHeader(request_->url(), info->headers);
+  AddXFrameOptionsHeader(request_->url(), info->headers);
   if (!allow_caching_)
     info->headers->AddHeader("Cache-Control: no-cache");
 }
 
 void URLRequestChromeJob::MimeTypeAvailable(const std::string& mime_type) {
   set_mime_type(mime_type);
   NotifyHeadersComplete();
 }
 
 void URLRequestChromeJob::DataAvailable(base::RefCountedMemory* bytes) {
@@ skipping 326 matching lines @@
   return new URLRequestChromeJob(request, backend_);
 }
 
 }  // namespace
 
 net::URLRequestJobFactory::ProtocolHandler*
 CreateDevToolsProtocolHandler(ChromeURLDataManagerBackend* backend,
                               net::NetworkDelegate* network_delegate) {
   return new DevToolsJobFactory(backend, network_delegate);
 }