Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

git-svn-id: https://svn.roundcube.net/trunk@5164 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-09-05 08:39:52 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-09-05 08:39:52 +0000
commit: 95f4dd90714e081ad997236e0368ae46d27e431c (patch)
tree: a3b6a4ef050ab88240a1be54b79ab18010efcf67 /roundcubemail/program/include/rcube_template.php
parent: 3988c63cb5266f77dcb334da808987d8f6afa621 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/roundcubemail/program/include/rcube_template.php b/roundcubemail/program/include/rcube_template.php
index c4dd73b23..1ec8e7dd3 100755
--- a/roundcubemail/program/include/rcube_template.php
+++ b/roundcubemail/program/include/rcube_template.php
@@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page
         // make sure all <form> tags have a valid request token
         $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
         $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+        
+        // send clickjacking protection headers
+        $iframe = $this->framed || !empty($_REQUEST['_framed']);
+        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
 
         // call super method
         parent::write($template, $this->config['skin_path']);
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-09-05 08:39:52 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-09-05 08:39:52 +0000
commit	95f4dd90714e081ad997236e0368ae46d27e431c (patch)
tree	a3b6a4ef050ab88240a1be54b79ab18010efcf67 /roundcubemail/program/include/rcube_template.php
parent	3988c63cb5266f77dcb334da808987d8f6afa621 (diff)