Add WebUI Security Headers (#9775)

validator/web/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
         "doc.go",
         "handler.go",
         "log.go",
+        "headers.go",
         ":site_data",  # keep
     ],
     importpath = "github.com/prysmaticlabs/prysm/validator/web",

validator/web/handler.go

@@ -11,6 +11,7 @@ const prefix = "external/prysm_web_ui/prysm-web-ui"
 
 // Handler serves web requests from the bundled site data.
 var Handler = func(res http.ResponseWriter, req *http.Request) {
+	addSecurityHeaders(res)
 	u, err := url.ParseRequestURI(req.RequestURI)
 	if err != nil {
 		log.WithError(err).Error("Cannot parse request URI")

validator/web/headers.go

@@ -0,0 +1,14 @@
+package web
+
+import "net/http"
+
+func addSecurityHeaders(w http.ResponseWriter) {
+	// Deny displaying the web UI in any iframe.
+	w.Header().Add("X-Frame-Options", "DENY")
+	// Prevent xss in case a malicious HTML markup is served in any page.
+	w.Header().Add("X-Content-Type-Options", "nosniff")
+	// Prevent opening site in pop-up window to exploit cross-site leaks.
+	w.Header().Add("Cross-Origin-Opener-Policy", "same-origin-allow-popups")
+	// Prevent embedding from another resource.
+	w.Header().Add("Cross-Origin-Resource-Policy", "same-origin")
+}