diff options
-rw-r--r-- | config/main.inc.php.dist | 4 | ||||
-rwxr-xr-x | program/include/rcube_template.php | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/config/main.inc.php.dist b/config/main.inc.php.dist index 822c6e63a..30268e079 100644 --- a/config/main.inc.php.dist +++ b/config/main.inc.php.dist @@ -237,6 +237,10 @@ $rcmail_config['ip_check'] = false; // check referer of incoming requests $rcmail_config['referer_check'] = false; +// X-Frame-Options HTTP header value sent to prevent from Clickjacking. +// Possible values: sameorigin|deny. Set to false in order to disable sending them +$rcmail_confoig['x_frame_options'] = 'sameorigin'; + // this key is used to encrypt the users imap password which is stored // in the session record (and the client cookie if remember password is enabled). // please provide a string of exactly 24 chars. diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index c4dd73b23..1ec8e7dd3 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page // make sure all <form> tags have a valid request token $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template); $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer); + + // send clickjacking protection headers + $iframe = $this->framed || !empty($_REQUEST['_framed']); + if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) + header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); // call super method parent::write($template, $this->config['skin_path']); |