Skip to content

Commit

Permalink
Improved protection against cross framing
Browse files Browse the repository at this point in the history
We now include CSS to hide the page and display it conditionally after
checking we're in top frame. This adds extra protection for clients who
do not support X-Frame-Options.

See also http://en.wikipedia.org/wiki/Framekiller and
https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
  • Loading branch information
nijel committed Jul 29, 2013
1 parent 240b833 commit 24d0eb5
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 10 deletions.
15 changes: 5 additions & 10 deletions js/cross_framing_protection.js
Original file line number Diff line number Diff line change
@@ -1,14 +1,9 @@
/* vim: set expandtab sw=4 ts=4 sts=4: */
/**
* Conditionally included if third-party framing is not allowed
*
* Conditionally included if framing is not allowed
*/

try {
if (top != self) {
top.location.href = self.location.href;
}
} catch(e) {
alert("Redirecting... (error: " + e);
top.location.href = self.location.href;
if(self == top) {
document.documentElement.style.display = 'block' ;
} else {
top.location = self.location ;
}
1 change: 1 addition & 0 deletions libraries/Header.class.php
Original file line number Diff line number Diff line change
Expand Up @@ -531,6 +531,7 @@ private function _getMetaTags()
$retval = '<meta charset="utf-8" />';
$retval .= '<meta name="robots" content="noindex,nofollow" />';
$retval .= '<meta http-equiv="X-UA-Compatible" content="IE=Edge">';
$retval .= '<style>html{display: none;}</style>';
return $retval;
}

Expand Down

0 comments on commit 24d0eb5

Please sign in to comment.