Merge pull request #6120 from rgbkrk/no_iframe_embedding

Only allow iframe embedding on same origin by default.

IPython/html/base/handlers.py

@@ -39,6 +39,10 @@ class AuthenticatedHandler(web.RequestHandler):
 
     def set_default_headers(self):
         headers = self.settings.get('headers', {})
+
+        if "X-Frame-Options" not in headers:
+            headers["X-Frame-Options"] = "SAMEORIGIN"
+
         for header_name,value in headers.items() :
             try:
                 self.set_header(header_name, value)

IPython/html/services/kernels/tests/test_kernels_api.py

@@ -65,6 +65,8 @@ class KernelAPITest(NotebookTestBase):
         self.assertEqual(r.status_code, 201)
         self.assertIsInstance(kern1, dict)
 
+        self.assertEqual(r.headers['x-frame-options'], "SAMEORIGIN")
+
         # GET request
         r = self.kern_api.list()
         self.assertEqual(r.status_code, 200)