Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)

pull/6132/head
Aleksander Machniak 7 years ago
parent 59bbf6c081
commit 8de9fa707b

@ -72,6 +72,7 @@ CHANGELOG Roundcube Webmail
- Fix syntax error in mssql.initial.sql (#6097) - Fix syntax error in mssql.initial.sql (#6097)
- Fix bug where contacts export by selection returned no more than 10 entries (#6103) - Fix bug where contacts export by selection returned no more than 10 entries (#6103)
- Fix searching contacts by address in LDAP source (#6084) - Fix searching contacts by address in LDAP source (#6084)
- Fix X-Frame-Options:ALLOW-FROM support, remove custom click-jacking protection (#6057)
RELEASE 1.3.3 RELEASE 1.3.3
------------- -------------

@ -176,24 +176,6 @@ function rcube_webmail()
for (n in this.gui_objects) for (n in this.gui_objects)
this.gui_objects[n] = rcube_find_object(this.gui_objects[n]); this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);
// clickjacking protection
if ((n = this.env.x_frame_options) && self !== top) {
try {
// bust frame if not allowed
if (n.toLowerCase() == 'deny' && top.location.href != self.location.href)
top.location.href = self.location.href;
else if (/^allow-from[\s\t]+(.+)$/i.test(n) && RegExp.$1.indexOf(top.location.origin) != 0)
throw 1;
else if (top.location.hostname != self.location.hostname)
throw 1;
} catch (e) {
// possible clickjacking attack: disable all form elements
$('form').each(function(){ ref.lock_form(this, true); });
this.display_message("Blocked: possible clickjacking attack!", 'error');
return;
}
}
// init registered buttons // init registered buttons
this.init_buttons(); this.init_buttons();

Loading…
Cancel
Save