lib.urlhandlers.php

Timestamp:

01/17/15 11:53:32 (11 years ago)

Author:

Dsls

Branch:

2.7

Message:

disable clickjacking in preview when clickjacking protection is not enabled, addresses #2049

File:

inc/public/lib.urlhandlers.php

-                      r2915
+                      r2919
           header('Content-Type: '.$_ctx->content_type.'; charset=UTF-8');
+          if ($_ctx->exists('xframeoption')) {
+               $url = parse_url($_ctx->xframeoption);
+               header(sprintf('X-Frame-Options: %s', is_array($url)?("ALLOW-FROM ".$url['scheme'].'://'.$url['host']):'SAMEORIGIN'));
+          } elseif ($core->blog->settings->system->prevents_clickjacking) {
+               // Prevents Clickjacking as far as possible
+               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
+          if ($core->blog->settings->system->prevents_clickjacking) {
+               if ($_ctx->exists('xframeoption')) {
+                    $url = parse_url($_ctx->xframeoption);
+                    header(sprintf('X-Frame-Options: %s', is_array($url)?("ALLOW-FROM ".$url['scheme'].'://'.$url['host']):'SAMEORIGIN'));
+               } else {
+                    // Prevents Clickjacking as far as possible
+                    header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
+               }
+          }

Note: See TracChangeset for help on using the changeset viewer.