From 699af1e5206ed9114322adaa3c25c1c969640a53 Mon Sep 17 00:00:00 2001 From: Thomas Bruederli <thomas@roundcube.net> Date: Sun, 06 Mar 2016 08:35:48 -0500 Subject: [PATCH] Protect download urls against CSRF using unique request tokens (#1490642) Send X-Frame-Options headers with every HTTP response --- program/lib/Roundcube/rcube_output.php | 5 +++++ 1 files changed, 5 insertions(+), 0 deletions(-) diff --git a/program/lib/Roundcube/rcube_output.php b/program/lib/Roundcube/rcube_output.php index 55a38b2..586aba3 100644 --- a/program/lib/Roundcube/rcube_output.php +++ b/program/lib/Roundcube/rcube_output.php @@ -190,6 +190,11 @@ // Request browser to disable DNS prefetching (CVE-2010-0464) header("X-DNS-Prefetch-Control: off"); + + // send CSRF and clickjacking protection headers + if ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')) { + header('X-Frame-Options: ' . $xframe); + } } /** -- Gitblit v1.9.1