Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

release-0.7
thomascube 13 years ago
parent 94a5a24fc2
commit c170bfc92f

@ -237,6 +237,10 @@ $rcmail_config['ip_check'] = false;
// check referer of incoming requests // check referer of incoming requests
$rcmail_config['referer_check'] = false; $rcmail_config['referer_check'] = false;
// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
// Possible values: sameorigin|deny. Set to false in order to disable sending them
$rcmail_confoig['x_frame_options'] = 'sameorigin';
// this key is used to encrypt the users imap password which is stored // this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled). // in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars. // please provide a string of exactly 24 chars.

@ -356,6 +356,11 @@ class rcube_template extends rcube_html_page
// make sure all <form> tags have a valid request token // make sure all <form> tags have a valid request token
$template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template); $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
$this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer); $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
// send clickjacking protection headers
$iframe = $this->framed || !empty($_REQUEST['_framed']);
if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
// call super method // call super method
parent::write($template, $this->config['skin_path']); parent::write($template, $this->config['skin_path']);

Loading…
Cancel
Save