Changeset 5164 in subversion

Timestamp:

Sep 5, 2011 4:39:52 AM (21 months ago)

Author:

thomasb

Message:

Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

Location:

trunk/roundcubemail

Files:

• config/main.inc.php.dist (modified) (1 diff)
• program/include/rcube_template.php (modified) (1 diff)

trunk/roundcubemail/config/main.inc.php.dist

@@ -237 +237 @@
 // check referer of incoming requests
 $rcmail_config['referer_check'] = false;
+
+// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
+// Possible values: sameorigin|deny. Set to false in order to disable sending them
+$rcmail_confoig['x_frame_options'] = 'sameorigin';
 
 // this key is used to encrypt the users imap password which is stored

trunk/roundcubemail/program/include/rcube_template.php

@@ -357 +357 @@
         $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
         $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+        
+        // send clickjacking protection headers
+        $iframe = $this->framed || !empty($_REQUEST['_framed']);
+        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
 
         // call super method