|
|
|
@ -175,25 +175,40 @@ abstract class rcube_output
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Send browser compatibility/security/etc. headers
|
|
|
|
|
* Send browser compatibility/security/privacy headers
|
|
|
|
|
*
|
|
|
|
|
* @param bool $privacy Enable privacy headers
|
|
|
|
|
*/
|
|
|
|
|
public function common_headers()
|
|
|
|
|
public function common_headers($privacy = true)
|
|
|
|
|
{
|
|
|
|
|
if (headers_sent()) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$headers = array();
|
|
|
|
|
|
|
|
|
|
// Unlock IE compatibility mode
|
|
|
|
|
if ($this->browser->ie) {
|
|
|
|
|
header('X-UA-Compatible: IE=edge');
|
|
|
|
|
$headers['X-UA-Compatible'] = 'IE=edge';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Request browser to disable DNS prefetching (CVE-2010-0464)
|
|
|
|
|
header("X-DNS-Prefetch-Control: off");
|
|
|
|
|
if ($privacy) {
|
|
|
|
|
// Request browser to disable DNS prefetching (CVE-2010-0464)
|
|
|
|
|
$headers['X-DNS-Prefetch-Control'] = 'off';
|
|
|
|
|
|
|
|
|
|
// Request browser disable Referer (sic) header
|
|
|
|
|
$headers['Referrer-Policy'] = 'same-origin';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// send CSRF and clickjacking protection headers
|
|
|
|
|
if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) {
|
|
|
|
|
header('X-Frame-Options: ' . $xframe);
|
|
|
|
|
$headers['X-Frame-Options'] = $xframe;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$plugin = $this->app->plugins->exec_hook('common_headers', array('headers' => $headers, 'privacy' => $privacy));
|
|
|
|
|
|
|
|
|
|
foreach ($plugin['headers'] as $header => $value) {
|
|
|
|
|
header("$header: $value");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|