Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)

7 years ago · 65da434867
parent b9c038ca63
commit 65da434867
2 changed files with 1 additions and 18 deletions
--- a/1
+++ b/1
@ -11,6 +11,7 @@ CHANGELOG Roundcube Webmail
 - Fix syntax error in mssql.initial.sql (#6097)
 - Fix bug where contacts export by selection returned no more than 10 entries (#6103)
 - Fix searching contacts by address in LDAP source (#6084)
+- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)

 RELEASE 1.3.3
 -------------
--- a/program/js/app.js
+++ b/program/js/app.js
@ -175,24 +175,6 @@ function rcube_webmail()
    for (n in this.gui_objects)
      this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);

-    // clickjacking protection
-    if (n = this.env.x_frame_options) {
-      try {
-        // bust frame if not allowed
-        if (n.toLowerCase() == 'deny' && top.location.href != self.location.href)
-          top.location.href = self.location.href;
-        else if (/^allow-from[\s\t]+(.+)$/i.test(n) && RegExp.$1.indexOf(top.location.origin) != 0)
-          throw 1;
-        else if (top.location.hostname != self.location.hostname)
-          throw 1;
-      } catch (e) {
-        // possible clickjacking attack: disable all form elements
-        $('form').each(function(){ ref.lock_form(this, true); });
-        this.display_message("Blocked: possible clickjacking attack!", 'error');
-        return;
-      }
-    }
-
    // init registered buttons
    this.init_buttons();