summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xprogram/include/rcube_template.php1
-rw-r--r--program/js/app.js16
2 files changed, 17 insertions, 0 deletions
diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index 1a82f7e6e..ea221767c 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -71,6 +71,7 @@ class rcube_template extends rcube_html_page
//$this->framed = $framed;
$this->set_env('task', $task);
+ $this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin'));
// load the correct skin (in case user-defined)
$this->set_skin($this->config['skin']);
diff --git a/program/js/app.js b/program/js/app.js
index d784f5354..cc1eeef15 100644
--- a/program/js/app.js
+++ b/program/js/app.js
@@ -145,6 +145,22 @@ function rcube_webmail()
for (n in this.gui_objects)
this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
+ // clickjacking protection
+ if (this.env.x_frame_options) {
+ try {
+ // bust frame if not allowed
+ if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href)
+ top.location.href = self.location.href;
+ else if (top.location.hostname != self.location.hostname)
+ throw 1;
+ } catch (e) {
+ // possible clickjacking attack: disable all form elements
+ $('form').each(function(){ ref.lock_form(this, true); });
+ this.display_message("Blocked: possible clickjacking attack!", 'error');
+ return;
+ }
+ }
+
// init registered buttons
this.init_buttons();