Elevate X-Frame-Options from all admin and user pages to all PHP

responses.  Fixes #1922.

3 files changed, 3 insertions, 2 deletions

diff --git a/index.php b/index.php
index 9a6cc2ea..e6540791 100644
--- a/index.php
+++ b/index.php
@@ -51,6 +51,9 @@ ini_set("display_errors", false);
 // Ajax code.
 ini_set("session.use_trans_sid", false);
 
+// Restrict all response frames to the same origin for security
+header("X-Frame-Options: SAMEORIGIN");
+
 define("EXT", ".php");
 define("DOCROOT", getcwd() . "/");
 define("KOHANA",  "index.php");
diff --git a/themes/admin_wind/views/admin.html.php b/themes/admin_wind/views/admin.html.php
index 0300f7af..9a149149 100644
--- a/themes/admin_wind/views/admin.html.php
+++ b/themes/admin_wind/views/admin.html.php
@@ -1,5 +1,4 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<?php header("X-Frame-Options: SAMEORIGIN"); ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" <?= $theme->html_attributes() ?> xml:lang="en" lang="en">
diff --git a/themes/wind/views/page.html.php b/themes/wind/views/page.html.php
index 5bbbb509..23021e4d 100644
--- a/themes/wind/views/page.html.php
+++ b/themes/wind/views/page.html.php
@@ -1,5 +1,4 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<?php header("X-Frame-Options: SAMEORIGIN"); ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
           "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" <?= $theme->html_attributes() ?> xml:lang="en" lang="en">