@ -17,6 +17,7 @@ CHANGELOG Roundcube Webmail
- Fix compatibility with MySQL 8 - error on 'system' table use
- Managesieve: Fix bug where show_real_foldernames setting wasn't respected (#6422)
- New_user_identity: Fix %fu/%u vars substitution in user specific LDAP params (#6419)
- Fix support for "allow-from <uri>" in "x_frame_options" config option (#6449)
RELEASE 1.4-beta
----------------
@ -588,7 +588,7 @@ EOF;
// allow (legal) iframe content to be loaded
$iframe = $this->framed || $this->env['framed'];
if (!headers_sent() && $iframe && ($xopt = $this->app->config->get('x_frame_options', 'sameorigin'))) {
if (strtolower($xopt) != 'sameorigin') {
if (strtolower($xopt) === 'deny') {
header('X-Frame-Options: sameorigin', true);
}