summaryrefslogtreecommitdiff
path: root/program/include/rcube_template.php
diff options
context:
space:
mode:
authorthomascube <thomas@roundcube.net>2011-09-05 08:39:52 +0000
committerthomascube <thomas@roundcube.net>2011-09-05 08:39:52 +0000
commitc170bfc92f48dea0dc009916251acf730b1d885f (patch)
treed02af8a255663f025c436979b11c6608b62ba8b5 /program/include/rcube_template.php
parent94a5a24fc2a8040b22d4012773ebb6879957cfdf (diff)
Protect from Clickjacking by sending X-Frame-Options headers (#1487037)
Diffstat (limited to 'program/include/rcube_template.php')
-rwxr-xr-xprogram/include/rcube_template.php5
1 files changed, 5 insertions, 0 deletions
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index c4dd73b23..1ec8e7dd3 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page
// make sure all <form> tags have a valid request token
$template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
$this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+
+ // send clickjacking protection headers
+ $iframe = $this->framed || !empty($_REQUEST['_framed']);
+ if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+ header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
// call super method
parent::write($template, $this->config['skin_path']);