From c170bfc92f48dea0dc009916251acf730b1d885f Mon Sep 17 00:00:00 2001
From: thomascube <thomas@roundcube.net>
Date: Mon, 05 Sep 2011 04:39:52 -0400
Subject: [PATCH] Protect from Clickjacking by sending X-Frame-Options headers (#1487037)

---
 program/include/rcube_template.php |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/program/include/rcube_template.php b/program/include/rcube_template.php
index c4dd73b..1ec8e7d 100755
--- a/program/include/rcube_template.php
+++ b/program/include/rcube_template.php
@@ -356,6 +356,11 @@
         // make sure all <form> tags have a valid request token
         $template = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $template);
         $this->footer = preg_replace_callback('/<form\s+([^>]+)>/Ui', array($this, 'alter_form_tag'), $this->footer);
+        
+        // send clickjacking protection headers
+        $iframe = $this->framed || !empty($_REQUEST['_framed']);
+        if (!headers_sent() && ($xframe = $this->app->config->get('x_frame_options', 'sameorigin')))
+            header('X-Frame-Options: ' . ($iframe && $xframe == 'deny' ? 'sameorigin' : $xframe));
 
         // call super method
         parent::write($template, $this->config['skin_path']);

--
Gitblit v1.9.1