Changes in [2906:6e7e433ef6d3:2910:69efb1571e90]

Files:

• admin/post.php (modified) (1 diff)
• inc/admin/lib.dc.page.php (modified) (4 diffs)
• plugins/pages/page.php (modified) (1 diff)

admin/post.php

@@ -411 +411 @@
                ($post_id ? $page_title_edit : $page_title) => ''
           ))
+     , array(
+          'x-frame-allow' => $core->blog->url
+     )
 );
 

inc/admin/lib.dc.page.php

@@ -17 +17 @@
 {
      private static $loaded_js = array();
+     private static $xframe_loaded = false;
      private static $N_TYPES = array(
           "success" => "success",
@@ -54 +55 @@
 
      # Top of admin page
-     public static function open($title='',$head='',$breadcrumb='')
+     public static function open($title='',$head='',$breadcrumb='',$options=array())
      {
           global $core;
@@ -91 +92 @@
 
           // Prevents Clickjacking as far as possible
-          header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
-
+          if (isset($options['x-frame-allow'])) {
+               self::setXFrameOptions($options['x-frame-allow']);
+          } else {
+               self::setXFrameOptions();
+          }
           echo
           '<!DOCTYPE html>'.
@@ -919 +923 @@
           return $GLOBALS['core']->adminurl->get('load.plugin.file',array('pf' => $file));
      }
+
+     public static function setXFrameOptions($origin=null) {
+          if (self::$xframe_loaded) {
+               return;
+          }
+          if ($origin !== null) {
+               $url = parse_url($origin);
+               header(sprintf('X-Frame-Options: %s', is_array($url)?($url['scheme'].'://'.$url['host']):'SAMEORIGIN'));
+          } else {
+               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+
+          }
+          self::$xframe_loaded = true;
+
+     }
 }

plugins/pages/page.php

@@ -304 +304 @@
 }
 
+dcPage::setXFrameOptions($core->blog->url);
 ?>
 <html>