From c170bfc92f48dea0dc009916251acf730b1d885f Mon Sep 17 00:00:00 2001 From: thomascube Date: Mon, 5 Sep 2011 08:39:52 +0000 Subject: Protect from Clickjacking by sending X-Frame-Options headers (#1487037) --- config/main.inc.php.dist | 4 ++++ program/include/rcube_template.php | 5 +++++ 2 files changed, 9 insertions(+) diff --git a/config/main.inc.php.dist b/config/main.inc.php.dist index 822c6e63a..30268e079 100644 --- a/config/main.inc.php.dist +++ b/config/main.inc.php.dist @@ -237,6 +237,10 @@ $rcmail_config['ip_check'] = false; // check referer of incoming requests $rcmail_config['referer_check'] = false; +// X-Frame-Options HTTP header value sent to prevent from Clickjacking. +// Possible values: sameorigin|deny. Set to false in order to disable sending them +$rcmail_confoig['x_frame_options'] = 'sameorigin'; + // this key is used to encrypt the users imap password which is stored // in the session record (and the client cookie if remember password is enabled). // please provide a string of exactly 24 chars. diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php index c4dd73b23..1ec8e7dd3 100755 --- a/program/include/rcube_template.php +++ b/program/include/rcube_template.php @@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page // make sure all
tags have a valid request token $template = preg_replace_callback('/]+)>/Ui', array($this, 'alter_form_tag'), $template); $this->footer = preg_replace_callback('/]+)>/Ui', array($this, 'alter_form_tag'), $this->footer); + + // send clickjacking protection headers + $iframe = $this->framed || !empty($_REQUEST['_framed']); + if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) + header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); // call super method parent::write($template, $this->config['skin_path']); -- cgit v1.2.3