diff options
author | thomascube <thomas@roundcube.net> | 2011-09-05 08:39:52 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2011-09-05 08:39:52 +0000 |
commit | c170bfc92f48dea0dc009916251acf730b1d885f (patch) | |
tree | d02af8a255663f025c436979b11c6608b62ba8b5 /program/include/rcube_template.php | |
parent | 94a5a24fc2a8040b22d4012773ebb6879957cfdf (diff) |
Protect from Clickjacking by sending X-Frame-Options headers (#1487037)
Diffstat (limited to 'program/include/rcube_template.php')
-rwxr-xr-x | program/include/rcube_template.php | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index c4dd73b23..1ec8e7dd3 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page // make sure all <form> tags have a valid request token $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template); $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer); + + // send clickjacking protection headers + $iframe = $this->framed || !empty($_REQUEST['_framed']); + if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) + header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); // call super method parent::write($template, $this->config['skin_path']); |