Ensure that HTML pages served from Synapse include headers to avoid embedding.

2025-05-02 17:54:48 -04:00 · 2020-07-01 09:10:23 -04:00 · 2020-07-01 09:10:23 -04:00 · ea26e9a98b
commit ea26e9a98b
parent 0fc5575c5b
10 changed files with 103 additions and 94 deletions
--- a/synapse/rest/client/v2_alpha/account.py
+++ b/synapse/rest/client/v2_alpha/account.py
@ -21,7 +21,7 @@ from six.moves import http_client
 from synapse.api.constants import LoginType
 from synapse.api.errors import Codes, SynapseError, ThreepidValidationError
 from synapse.config.emailconfig import ThreepidBehaviour
-from synapse.http.server import finish_request
+from synapse.http.server import finish_request, respond_with_html
 from synapse.http.servlet import (
    RestServlet,
    assert_params_in_dict,
@ -199,16 +199,15 @@ class PasswordResetSubmitTokenServlet(RestServlet):

            # Otherwise show the success template
            html = self.config.email_password_reset_template_success_html
-            request.setResponseCode(200)
+            status_code = 200
        except ThreepidValidationError as e:
-            request.setResponseCode(e.code)
+            status_code = e.code

            # Show a failure page with a reason
            template_vars = {"failure_reason": e.msg}
            html = self.failure_email_template.render(**template_vars)

-        request.write(html.encode("utf-8"))
-        finish_request(request)
+        respond_with_html(request, status_code, html)


 class PasswordRestServlet(RestServlet):
@ -571,16 +570,15 @@ class AddThreepidEmailSubmitTokenServlet(RestServlet):

            # Otherwise show the success template
            html = self.config.email_add_threepid_template_success_html_content
-            request.setResponseCode(200)
+            status_code = 200
        except ThreepidValidationError as e:
-            request.setResponseCode(e.code)
+            status_code = e.code

            # Show a failure page with a reason
            template_vars = {"failure_reason": e.msg}
            html = self.failure_email_template.render(**template_vars)

-        request.write(html.encode("utf-8"))
-        finish_request(request)
+        respond_with_html(request, status_code, html)


 class AddThreepidMsisdnSubmitTokenServlet(RestServlet):