From 86b0046f287f1a24a9fcb216fd1a31ea49823ee6 Mon Sep 17 00:00:00 2001
From: shortcutme <hello@noloop.me>
Date: Tue, 27 Dec 2016 11:37:35 +0100
Subject: [PATCH] Don't allow load load wrapper frames as prefetch or as image

---
 src/Ui/UiRequest.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 046e55c6..560486e8 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -191,6 +191,11 @@ class UiRequest(object):
             if self.isAjaxRequest():
                 return self.error403("Ajax request not allowed to load wrapper")  # No ajax allowed on wrapper
 
+            if "text/html" not in self.env["HTTP_ACCEPT"]:
+                return self.error403("Invalid Accept header to load wrapper")
+            if "prefetch" in self.env.get("HTTP_X_MOZ", "") or "prefetch" in self.env.get("HTTP_PURPOSE", ""):
+                return self.error403("Prefetch not allowed to load wrapper")
+
             site = SiteManager.site_manager.get(address)
 
             if (