Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

  • Loading branch information...
commit c170bfc92f48dea0dc009916251acf730b1d885f 1 parent 94a5a24
@thomascube thomascube authored
Showing with 9 additions and 0 deletions.
  1. +4 −0 config/main.inc.php.dist
  2. +5 −0 program/include/rcube_template.php
View
4 config/main.inc.php.dist
@@ -237,6 +237,10 @@ $rcmail_config['ip_check'] = false;
// check referer of incoming requests
$rcmail_config['referer_check'] = false;
+// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
+// Possible values: sameorigin|deny. Set to false in order to disable sending them
+$rcmail_confoig['x_frame_options'] = 'sameorigin';
+
// this key is used to encrypt the users imap password which is stored
// in the session record (and the client cookie if remember password is enabled).
// please provide a string of exactly 24 chars.
View
5 program/include/rcube_template.php
@@ -356,6 +356,11 @@ public function write($template = '')
// make sure all <form> tags have a valid request token
$template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
$this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+
+ // send clickjacking protection headers
+ $iframe = $this->framed || !empty($_REQUEST['_framed']);
+ if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+ header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
// call super method
parent::write($template, $this->config['skin_path']);
Please sign in to comment.
Something went wrong with that request. Please try again.