Index: /trunk/roundcubemail/program/include/rcube_template.php
===================================================================
--- /trunk/roundcubemail/program/include/rcube_template.php	(revision 5475)
+++ /trunk/roundcubemail/program/include/rcube_template.php	(revision 5476)
@@ -72,4 +72,5 @@
         //$this->framed = $framed;
         $this->set_env('task', $task);
+        $this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin'));
 
         // load the correct skin (in case user-defined)
Index: /trunk/roundcubemail/program/js/app.js
===================================================================
--- /trunk/roundcubemail/program/js/app.js	(revision 5475)
+++ /trunk/roundcubemail/program/js/app.js	(revision 5476)
@@ -145,4 +145,20 @@
     for (n in this.gui_objects)
       this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
+
+    // clickjacking protection
+    if (this.env.x_frame_options) {
+      try {
+        // bust frame if not allowed
+        if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href)
+          top.location.href = self.location.href;
+        else if (top.location.hostname != self.location.hostname)
+          throw 1;
+      } catch (e) {
+        // possible clickjacking attack: disable all form elements
+        $('form').each(function(){ ref.lock_form(this, true); });
+        this.display_message("Blocked: possible clickjacking attack!", 'error');
+        return;
+      }
+    }
 
     // init registered buttons