Roundcubemail devel
parent: 55a02bcf | patch | commit | ignore whitespace
Thomas Bruederli
2016-01-16 294e65737cd2c4f0159a207bca0b755d4e34632b 
Send X-Frame-Options headers with every HTTP response
2 files modified
11 ■■■■ changed files
program/include/rcmail_output_html.php 6 ●●●● patch | view | raw | blame | history
program/lib/Roundcube/rcube_output.php 5 ●●●●● patch | view | raw | blame | history 
 program/include/rcmail_output_html.php


@@ -516,10 +516,10 @@


        // write all javascript commands


        $this->add_script($commands, 'head_top');




        // send clickjacking protection headers


        // allow (legal) iframe content to be loaded


        $iframe = $this->framed || $this->env['framed'];


        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) {


            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));


        if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') {


            header('X-Frame-Options: sameorigin', true);


        }




        // call super method




 program/lib/Roundcube/rcube_output.php


@@ -190,6 +190,11 @@




        // Request browser to disable DNS prefetching (CVE-2010-0464)


        header("X-DNS-Prefetch-Control: off");




        // send CSRF and clickjacking protection headers


        if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) {


            header('X-Frame-Options: ' . $xframe);


        }


    }




    /**