Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

13 years ago · c170bfc92f
parent 94a5a24fc2
commit c170bfc92f
2 changed files with 9 additions and 0 deletions
--- a/config/main.inc.php.dist
+++ b/config/main.inc.php.dist
@ -237,6 +237,10 @@ $rcmail_config['ip_check'] = false;
 // check referer of incoming requests
 $rcmail_config['referer_check'] = false;

+// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
+// Possible values: sameorigin|deny. Set to false in order to disable sending them
+$rcmail_confoig['x_frame_options'] = 'sameorigin';
+
 // this key is used to encrypt the users imap password which is stored
 // in the session record (and the client cookie if remember password is enabled).
 // please provide a string of exactly 24 chars.
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@ -357,6 +357,11 @@ class rcube_template extends rcube_html_page
        $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
        $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
        
+        // send clickjacking protection headers
+        $iframe = $this->framed || !empty($_REQUEST['_framed']);
+        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
+
        // call super method
        parent::write($template, $this->config['skin_path']);
    }