From 7a53cebd29c00afbc53ab5c60f8980d8b6d204a0 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Thu, 1 Nov 2012 09:51:35 -0700
Subject: Don't show the sidebar on error pages - it just increases the chances
 that we'll compound the error.  Instead, focus on the error or the login
 form.  Fixes #1921.

---
 themes/wind/views/page.html.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'themes')

diff --git a/themes/wind/views/page.html.php b/themes/wind/views/page.html.php
index c3e212c5..5bbbb509 100644
--- a/themes/wind/views/page.html.php
+++ b/themes/wind/views/page.html.php
@@ -131,7 +131,7 @@
           </div>
         </div>
         <div id="g-sidebar" class="yui-b">
-          <? if ($theme->page_subtype != "login"): ?>
+          <? if (!in_array($theme->page_subtype, array("login", "error"))): ?>
           <?= new View("sidebar.html") ?>
           <? endif ?>
         </div>
-- 
cgit v1.2.3


From 50f5286ffbc6a675f97faf629893d2e248382396 Mon Sep 17 00:00:00 2001
From: Bharat Mediratta <bharat@menalto.com>
Date: Tue, 6 Nov 2012 11:51:44 -0800
Subject: Elevate X-Frame-Options from all admin and user pages to all PHP
 responses.  Fixes #1922.

---
 index.php                              | 3 +++
 themes/admin_wind/views/admin.html.php | 1 -
 themes/wind/views/page.html.php        | 1 -
 3 files changed, 3 insertions(+), 2 deletions(-)

(limited to 'themes')

diff --git a/index.php b/index.php
index 9a6cc2ea..e6540791 100644
--- a/index.php
+++ b/index.php
@@ -51,6 +51,9 @@ ini_set("display_errors", false);
 // Ajax code.
 ini_set("session.use_trans_sid", false);
 
+// Restrict all response frames to the same origin for security
+header("X-Frame-Options: SAMEORIGIN");
+
 define("EXT", ".php");
 define("DOCROOT", getcwd() . "/");
 define("KOHANA",  "index.php");
diff --git a/themes/admin_wind/views/admin.html.php b/themes/admin_wind/views/admin.html.php
index 0300f7af..9a149149 100644
--- a/themes/admin_wind/views/admin.html.php
+++ b/themes/admin_wind/views/admin.html.php
@@ -1,5 +1,4 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<?php header("X-Frame-Options: SAMEORIGIN"); ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" <?= $theme->html_attributes() ?> xml:lang="en" lang="en">
diff --git a/themes/wind/views/page.html.php b/themes/wind/views/page.html.php
index 5bbbb509..23021e4d 100644
--- a/themes/wind/views/page.html.php
+++ b/themes/wind/views/page.html.php
@@ -1,5 +1,4 @@
 <?php defined("SYSPATH") or die("No direct script access.") ?>
-<?php header("X-Frame-Options: SAMEORIGIN"); ?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
           "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" <?= $theme->html_attributes() ?> xml:lang="en" lang="en">
-- 
cgit v1.2.3