From 88e52b274694cf52e4d7cf38a8dd7346084c0ed9 Mon Sep 17 00:00:00 2001
From: rgbkrk <rgbkrk@gmail.com>
Date: Sat, 12 Jul 2014 00:20:24 -0500
Subject: [PATCH] Only allow iframe embedding on same origin.

---
 IPython/html/base/handlers.py                           | 4 ++++
 IPython/html/services/kernels/tests/test_kernels_api.py | 2 ++
 2 files changed, 6 insertions(+)

diff --git a/IPython/html/base/handlers.py b/IPython/html/base/handlers.py
index e8e60297b..3bf2e2d60 100644
--- a/IPython/html/base/handlers.py
+++ b/IPython/html/base/handlers.py
@@ -39,6 +39,10 @@ class AuthenticatedHandler(web.RequestHandler):
 
     def set_default_headers(self):
         headers = self.settings.get('headers', {})
+
+        if "X-Frame-Options" not in headers:
+            headers["X-Frame-Options"] = "SAMEORIGIN"
+
         for header_name,value in headers.items() :
             try:
                 self.set_header(header_name, value)
diff --git a/IPython/html/services/kernels/tests/test_kernels_api.py b/IPython/html/services/kernels/tests/test_kernels_api.py
index 6c4ef9b96..c3e3c9778 100644
--- a/IPython/html/services/kernels/tests/test_kernels_api.py
+++ b/IPython/html/services/kernels/tests/test_kernels_api.py
@@ -65,6 +65,8 @@ class KernelAPITest(NotebookTestBase):
         self.assertEqual(r.status_code, 201)
         self.assertIsInstance(kern1, dict)
 
+        self.assertEqual(r.headers['x-frame-options'], "SAMEORIGIN")
+
         # GET request
         r = self.kern_api.list()
         self.assertEqual(r.status_code, 200)