Changeset 2907:d5da0414c363

Timestamp:

01/06/15 19:38:51 (11 years ago)

Author:

Dsls

Branch:

2.7

Message:

added x-frame-options customizable for dcPage::open, fixes #2049

Files:

• admin/post.php (modified) (1 diff)
• inc/admin/lib.dc.page.php (modified) (2 diffs)

admin/post.php

@@ -411 +411 @@
                ($post_id ? $page_title_edit : $page_title) => ''
           ))
+     , array(
+          'x-frame-allow' => $core->blog->url
+     )
 );
 

inc/admin/lib.dc.page.php

@@ -54 +54 @@
 
      # Top of admin page
-     public static function open($title='',$head='',$breadcrumb='')
+     public static function open($title='',$head='',$breadcrumb='',$options=array())
      {
           global $core;
@@ -91 +91 @@
 
           // Prevents Clickjacking as far as possible
-          header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
-
+          if (isset($options['x-frame-allow'])) {
+               $host = parse_url($options['x-frame-allow'], PHP_URL_HOST);
+               $scheme = parse_url($options['x-frame-allow'], PHP_URL_SCHEME);
+               header(sprintf('X-Frame-Options: %s', ($host !== null)?($scheme.'://'.$host):'SAMEORIGIN'));
+          } else {
+               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
+          }
           echo
           '<!DOCTYPE html>'.