Improve clickjacking protection: bust frame or disable all form elements and abort UI initialization

git-svn-id: https://svn.roundcube.net/trunk@5476 208e9e7b-5314-0410-a742-e7e81cd9613c
author: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-11-23 18:53:58 +0000
committer: thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> 2011-11-23 18:53:58 +0000
commit: 51b94df0049f3855d6660ddbfa8c81da28d7cb8a (patch)
tree: 48a3189ae8360f555c646239816cf5c2b286ad30 /roundcubemail/program/js
parent: 51e1ea40b9d6668c6c2dba6a0eb8d23dc9a5edef (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/roundcubemail/program/js/app.js b/roundcubemail/program/js/app.js
index d784f5354..cc1eeef15 100644
--- a/roundcubemail/program/js/app.js
+++ b/roundcubemail/program/js/app.js
@@ -145,6 +145,22 @@ function rcube_webmail()
     for (n in this.gui_objects)
       this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
 
+    // clickjacking protection
+    if (this.env.x_frame_options) {
+      try {
+        // bust frame if not allowed
+        if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href)
+          top.location.href = self.location.href;
+        else if (top.location.hostname != self.location.hostname)
+          throw 1;
+      } catch (e) {
+        // possible clickjacking attack: disable all form elements
+        $('form').each(function(){ ref.lock_form(this, true); });
+        this.display_message("Blocked: possible clickjacking attack!", 'error');
+        return;
+      }
+    }
+
     // init registered buttons
     this.init_buttons();
author	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-11-23 18:53:58 +0000
committer	thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c>	2011-11-23 18:53:58 +0000
commit	51b94df0049f3855d6660ddbfa8c81da28d7cb8a (patch)
tree	48a3189ae8360f555c646239816cf5c2b286ad30 /roundcubemail/program/js
parent	51e1ea40b9d6668c6c2dba6a0eb8d23dc9a5edef (diff)