From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:35:48 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/include/rcmail_output_html.php | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/program/include/rcmail_output_html.php b/program/include/rcmail_output_html.php index 2374f87..2f59131 100644 --- a/program/include/rcmail_output_html.php +++ b/program/include/rcmail_output_html.php @@ -514,10 +514,10 @@ // write all javascript commands $this->add_script($commands, 'head_top'); - // send clickjacking protection headers + // allow (legal) iframe content to be loaded $iframe = $this->framed || $this->env['framed']; - if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin'))) { - header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe)); + if (!headers_sent() && $iframe && $this->app->config->get('x_frame_options', 'sameorigin') === 'deny') { + header('X-Frame-Options: sameorigin', true); } // call super method -- Gitblit v1.9.1