From 4d6293baf8b3682a2c10dc6be41644ac541fef69 Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Tue, 30 Aug 2011 15:47:24 -0700
Subject: [PATCH] Only allow relay to be opened in an iframe.

---
 browserid/app.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/browserid/app.js b/browserid/app.js
index c04100524..b0382d432 100644
--- a/browserid/app.js
+++ b/browserid/app.js
@@ -87,6 +87,8 @@ function router(app) {
 
   // Used for a relay page for communication.
   app.get('/relay', function(req, res, next ) {
+    // Allow the relay to be run within a frame
+    res.removeHeader('x-frame-options');
     res.render('relay.ejs', {
       layout: false,
       production: configuration.get('use_minified_resources')
@@ -251,7 +253,7 @@ exports.setup = function(server) {
 
   // prevent framing
   server.use(function(req, resp, next) {
-    //resp.setHeader('x-frame-options', 'DENY');
+    resp.setHeader('x-frame-options', 'DENY');
     next();
   });
 
-- 
GitLab