Improve clickjacking protection: bust frame or disable all form elements an...

thomascube

2011-11-23 10e2dbbb9c49f1721b4d740bc102c10c742a7b76

Improve clickjacking protection: bust frame or disable all form elements and abort UI initialization

 program/include/rcube_template.php

@@ -71,6 +71,7 @@

        //$this->framed = $framed;
        $this->set_env('task', $task);
        $this->set_env('x_frame_options', $this->app->config->get('x_frame_options', 'sameorigin'));

        // load the correct skin (in case user-defined)
        $this->set_skin($this->config['skin']);

 program/js/app.js

@@ -145,6 +145,22 @@
    for (n in this.gui_objects)
      this.gui_objects[n] = rcube_find_object(this.gui_objects[n]);

    // clickjacking protection
    if (this.env.x_frame_options) {
      try {
        // bust frame if not allowed
        if (this.env.x_frame_options == 'deny' && top.location.href != self.location.href)
          top.location.href = self.location.href;
        else if (top.location.hostname != self.location.hostname)
          throw 1;
      } catch (e) {
        // possible clickjacking attack: disable all form elements
        $('form').each(function(){ ref.lock_form(this, true); });
        this.display_message("Blocked: possible clickjacking attack!", 'error');
        return;
      }
    }

    // init registered buttons
    this.init_buttons();