Send X-Frame-Options headers with every HTTP response
| | |
| | | // write all javascript commands |
| | | $this->add_script($commands, 'head_top'); |
| | | |
| | | // send clickjacking protection headers |
| | | // allow (legal) iframe content to be loaded |
| | | $iframe = $this->framed || $this->env['framed']; |
| | | if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) { |
| | | header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); |
| | | if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') { |
| | | header('X-Frame-Options: sameorigin', true); |
| | | } |
| | | |
| | | // call super method |
| | |
| | | |
| | | // Request browser to disable DNS prefetching (CVE-2010-0464) |
| | | header("X-DNS-Prefetch-Control: off"); |
| | | |
| | | // send CSRF and clickjacking protection headers |
| | | if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) { |
| | | header('X-Frame-Options: ' . $xframe); |
| | | } |
| | | } |
| | | |
| | | /** |