Improve clickjacking protection: bust frame or disable all form elements and abort UI initialization

pull/1/head
thomascube 13 years ago
parent d65dd9cbe8
commit 10e2dbbb9c

@ -71,6 +71,7 @@ class rcube_template extends rcube_html_page
//$this->framed = $framed; //$this->framed = $framed;
$this->set_env('task', $task); $this->set_env('task', $task);
$this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin'));
// load the correct skin (in case user-defined) // load the correct skin (in case user-defined)
$this->set_skin($this->config['skin']); $this->set_skin($this->config['skin']);

@ -145,6 +145,22 @@ function rcube_webmail()
for (n in this.gui_objects) for (n in this.gui_objects)
this.gui_objects[n] = rcube_find_object(this.gui_objects[n]); this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
// clickjacking protection
if (this.env.x_frame_options) {
try {
// bust frame if not allowed
if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href)
top.location.href = self.location.href;
else if (top.location.hostname != self.location.hostname)
throw 1;
} catch (e) {
// possible clickjacking attack: disable all form elements
$('form').each(function(){ ref.lock_form(this, true); });
this.display_message("Blocked: possible clickjacking attack!", 'error');
return;
}
}
// init registered buttons // init registered buttons
this.init_buttons(); this.init_buttons();

Loading…
Cancel
Save