Upgrade anti-framing, anti-clickjacking code
This commit is contained in:
parent
321060ca71
commit
895447f3dc
|
@ -334,9 +334,12 @@ class Action extends HTMLOutputter // lawsuit
|
|||
$this->inlineScript('var _peopletagAC = "' .
|
||||
common_local_url('peopletagautocomplete') . '";');
|
||||
$this->showScriptMessages();
|
||||
// Frame-busting code to avoid clickjacking attacks.
|
||||
// Anti-framing code to avoid clickjacking attacks in older browsers.
|
||||
// This will show a blank page if the page is being framed, which is
|
||||
// consistent with the behavior of the 'X-Frame-Options: SAMEORIGIN'
|
||||
// header, which prevents framing in newer browser.
|
||||
if (common_config('javascript', 'bustframes')) {
|
||||
$this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
|
||||
$this->inlineScript('if (window.top !== window.self) { document.write = ""; window.top.location = window.self.location; setTimeout(function () { document.body.innerHTML = ""; }, 1); window.self.onload = function () { document.body.innerHTML = ""; }; }');
|
||||
}
|
||||
Event::handle('EndShowStatusNetScripts', array($this));
|
||||
Event::handle('EndShowLaconicaScripts', array($this));
|
||||
|
|
|
@ -108,6 +108,13 @@ class HTMLOutputter extends XMLOutputter
|
|||
|
||||
header('Content-Type: '.$type);
|
||||
|
||||
// Output anti-framing headers to prevent clickjacking (respected by newer
|
||||
// browsers).
|
||||
if (common_config('javascript', 'bustframes')) {
|
||||
header('X-XSS-Protection 1; mode=block'); // detect XSS Reflection attacks
|
||||
header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch
|
||||
}
|
||||
|
||||
$this->extraHeaders();
|
||||
if (preg_match("/.*\/.*xml/", $type)) {
|
||||
// Required for XML documents
|
||||
|
|
Loading…
Reference in New Issue
Block a user