Dotclear

Changeset 2915:c45489df2bde


Ignore:
Timestamp:
01/13/15 08:22:24 (9 years ago)
Author:
Dsls
Branch:
2.7
Tags:
2.7.3
Message:

Last tuning for x-frame-options (inc preview), see #2049

Location:
inc
Files:
2 edited

Legend:

Unmodified
Added
Removed
  • inc/admin/lib.dc.page.php

    r2909 r2915  
    930930          if ($origin !== null) { 
    931931               $url = parse_url($origin); 
    932                header(sprintf('X-Frame-Options: %s', is_array($url)?($url['scheme'].'://'.$url['host']):'SAMEORIGIN')); 
     932               header(sprintf('X-Frame-Options: %s', is_array($url)?("ALLOW-FROM ".$url['scheme'].'://'.$url['host']):'SAMEORIGIN')); 
    933933          } else { 
    934934               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+ 
  • inc/public/lib.urlhandlers.php

    r2797 r2915  
    111111          header('Content-Type: '.$_ctx->content_type.'; charset=UTF-8'); 
    112112 
    113           if ($core->blog->settings->system->prevents_clickjacking) { 
     113          if ($_ctx->exists('xframeoption')) { 
     114               $url = parse_url($_ctx->xframeoption); 
     115               header(sprintf('X-Frame-Options: %s', is_array($url)?("ALLOW-FROM ".$url['scheme'].'://'.$url['host']):'SAMEORIGIN')); 
     116          } elseif ($core->blog->settings->system->prevents_clickjacking) { 
    114117               // Prevents Clickjacking as far as possible 
    115118               header('X-Frame-Options: SAMEORIGIN'); // FF 3.6.9+ Chrome 4.1+ IE 8+ Safari 4+ Opera 10.5+ 
     
    535538               { 
    536539                    $_ctx->preview = true; 
     540                    if (defined ("DC_ADMIN_URL")) { 
     541                         $_ctx->xframeoption=DC_ADMIN_URL; 
     542                    } 
    537543                    self::post($post_url); 
    538544               } 
Note: See TracChangeset for help on using the changeset viewer.

Sites map