Improved protection against cross framing

nijel · nijel · commit 24d0eb55203b · 2013-07-29T14:55:29.000+02:00
We now include CSS to hide the page and display it conditionally after checking we're in top frame. This adds extra protection for clients who do not support X-Frame-Options. See also http://en.wikipedia.org/wiki/Framekiller and https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
diff --git a/js/cross_framing_protection.js b/js/cross_framing_protection.js
@@ -1,14 +1,9 @@
 /* vim: set expandtab sw=4 ts=4 sts=4: */
 /**
- * Conditionally included if third-party framing is not allowed
- *
+ * Conditionally included if framing is not allowed
  */
-
-try {
-    if (top != self) {
-        top.location.href = self.location.href;
-    }
-} catch(e) {
-    alert("Redirecting... (error: " + e);
-    top.location.href = self.location.href;
+if(self == top) {
+    document.documentElement.style.display = 'block' ;
+} else {
+    top.location = self.location ;
 }
diff --git a/libraries/Header.class.php b/libraries/Header.class.php
@@ -531,6 +531,7 @@ private function _getMetaTags()
         $retval  = '<meta charset="utf-8" />';
         $retval .= '<meta name="robots" content="noindex,nofollow" />';
         $retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">';
+        $retval .= '<style>html{display: none;}</style>';
         return $retval;
     }
 

Original file line number	Diff line number	Diff line change
`@@ -531,6 +531,7 @@ private function _getMetaTags()`
`531`	`531`	`$retval = '<meta charset="utf-8" />';`
`532`	`532`	`$retval .= '<meta name="robots" content="noindex,nofollow" />';`
`533`	`533`	`$retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">';`
	`534`	`+ $retval .= '<style>html{display: none;}</style>';`
`534`	`535`	`return $retval;`
`535`	`536`	`}`
`536`	`537`