Menu
▾
▴
[Xoops-svn] SF.net SVN: xoops-svn:[12847] XoopsCore/branches/2.5.x/2.5.8/htdocs/include /common.php
|
From: <rgr...@us...> - 2014-11-15 21:39:33
|
Revision: 12847
http://sourceforge.net/p/xoops/svn/12847
Author: rgriffith
Date: 2014-11-15 21:39:25 +0000 (Sat, 15 Nov 2014)
Log Message:
-----------
Add X-Frame-Options header to prevent clickjacking in modern browsers. By default set to 'sameorigin', but can be overridden by setting desired value in 'xFrameOptions' key in xoopsconfig. Resolves #1295
Modified Paths:
--------------
XoopsCore/branches/2.5.x/2.5.8/htdocs/include/common.php
Modified: XoopsCore/branches/2.5.x/2.5.8/htdocs/include/common.php
===================================================================
--- XoopsCore/branches/2.5.x/2.5.8/htdocs/include/common.php 2014-11-12 21:39:56 UTC (rev 12846)
+++ XoopsCore/branches/2.5.x/2.5.8/htdocs/include/common.php 2014-11-15 21:39:25 UTC (rev 12847)
@@ -130,6 +130,14 @@
trigger_error('File Path Error: ' . 'var/configs/xoopsconfig.php' . ' does not exist.');
}
+/**
+ * clickjack protection - Add option to HTTP header restrictig using site in an iframe
+ */
+$xFrameOptions = isset($xoopsConfig['xFrameOptions']) ? $xoopsConfig['xFrameOptions'] : 'sameorigin';
+if (!headers_sent() && !empty($xFrameOptions)) {
+ header('X-Frame-Options: ' .$xFrameOptions);
+}
+
//check if user set a local timezone (from XavierS)
// $xoops_server_timezone="Etc/GMT";
// if ($xoopsConfig["server_TZ"]>0) {
|
