From 10e2dbbb9c49f1721b4d740bc102c10c742a7b76 Mon Sep 17 00:00:00 2001 From: thomascube Date: Wed, 23 Nov 2011 18:53:58 +0000 Subject: Improve clickjacking protection: bust frame or disable all form elements and abort UI initialization --- program/include/rcube_template.php | 1 + program/js/app.js | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index 1a82f7e6e..ea221767c 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -71,6 +71,7 @@ class rcube_template extends rcube_html_page //$this->framed = $framed; $this->set_env('task', $task); + $this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin')); // load the correct skin (in case user-defined) $this->set_skin($this->config['skin']); diff --git a/program/js/app.js b/program/js/app.js index d784f5354..cc1eeef15 100644 --- a/program/js/app.js +++ b/program/js/app.js @@ -145,6 +145,22 @@ function rcube_webmail() for (n in this.gui_objects) this.gui_objects[n] = rcube_find_object(this.gui_objects[n]); + // clickjacking protection + if (this.env.x_frame_options) { + try { + // bust frame if not allowed + if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href) + top.location.href = self.location.href; + else if (top.location.hostname != self.location.hostname) + throw 1; + } catch (e) { + // possible clickjacking attack: disable all form elements + $('form').each(function(){ ref.lock_form(this, true); }); + this.display_message("Blocked: possible clickjacking attack!", 'error'); + return; + } + } + // init registered buttons this.init_buttons(); -- cgit v1.2.3