From 4a408843b0ef816daf70a472a02b78cd6073a4d5 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:31:07 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/lib/Roundcube/rcube_message.php | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/program/lib/Roundcube/rcube_message.php b/program/lib/Roundcube/rcube_message.php index d21de34..10ebbf6 100644 --- a/program/lib/Roundcube/rcube_message.php +++ b/program/lib/Roundcube/rcube_message.php @@ -108,7 +108,8 @@ 'get_url' => $this->app->url(array( 'action' => 'get', 'mbox' => $this->folder, - 'uid' => $uid)) + 'uid' => $uid), + false, false, true) ); if (!empty($this->headers->structure)) { -- Gitblit v1.9.1