Added option to send "X-Frame-Options: SAMEORIGIN"
authorAlexander Ebert <ebert@woltlab.com>
Thu, 1 Aug 2013 22:54:15 +0000 (00:54 +0200)
committerAlexander Ebert <ebert@woltlab.com>
Thu, 1 Aug 2013 22:54:15 +0000 (00:54 +0200)
com.woltlab.wcf/option.xml
wcfsetup/install/files/lib/util/HeaderUtil.class.php
wcfsetup/install/lang/de.xml
wcfsetup/install/lang/en.xml

index 53ac64ae093f47aa074fa28b132837a33d6d825e..8fc149f0ca90fa5979cd1d3fe64f2f654965d261 100644 (file)
@@ -403,6 +403,11 @@ imagick:wcf.acp.option.image_adapter_type.imagick]]>
                                <optiontype>boolean</optiontype>
                                <defaultvalue>0</defaultvalue>
                        </option>
+                       <option name="http_send_x_frame_options">
+                               <categoryname>general.system.http</categoryname>
+                               <optiontype>boolean</optiontype>
+                               <defaultvalue>0</defaultvalue>
+                       </option>
                        <option name="http_enable_gzip">
                                <categoryname>general.system.http</categoryname>
                                <optiontype>boolean</optiontype>
index be24e981dfd04820a7907d7c8b2f16867d69cd56..edd79de59bcc9b1461b80699c06df41666a1a0fb 100644 (file)
@@ -66,6 +66,11 @@ final class HeaderUtil {
                // send Internet Explorer compatibility mode
                @header('X-UA-Compatible: IE=edge');
                
+               // send X-Frame-Options
+               if (HTTP_SEND_X_FRAME_OPTIONS) {
+                       @header('X-Frame-Options: SAMEORIGIN');
+               }
+               
                ob_start(array('wcf\util\HeaderUtil', 'parseOutput'));
        }
        
index bf3e5aa02ac2f590875d03945726ef21c030a986..3c2482f4252f2484bb2deb081e89bcf9a0ad2f02 100644 (file)
                <item name="wcf.acp.option.http_enable_no_cache_headers.description"><![CDATA[Verhindert zuverlässig das Cachen von einzelnen Seiten und sorgt somit dafür, dass beim Seitenaufruf immer die neueste Version der Seite geladen wird. Führt umgekehrt aber zu höherem Traffic und mehr Serverlast.]]></item>
                <item name="wcf.acp.option.http_gzip_level"><![CDATA[Gzip-Komprimierungslevel]]></item>
                <item name="wcf.acp.option.http_gzip_level.description"><![CDATA[Werte von 1-9 sind zulässig. Als Optimum zwischen Komprimierung und Serverlast empfiehlt sich Level 1.]]></item>
+               <item name="wcf.acp.option.http_send_x_frame_options"><![CDATA[Einbindung in einem Frame verhindern]]></item>
+               <item name="wcf.acp.option.http_send_x_frame_options.description"><![CDATA[Sendet den <a href="{@$__wcf->getPath()}acp/dereferrer.php?url={'http://de.wikipedia.org/wiki/Clickjacking'|rawurlencode}" class="externalURL">„X-Frame-Options“</a Header um die Einbettung dieser Seite in einem Frame zu verhindern (sendet „SAMEORIGIN“).]]></item>
                <item name="wcf.acp.option.image_adapter_type"><![CDATA[Grafik-Bibliothek]]></item>
                <item name="wcf.acp.option.image_adapter_type.gd"><![CDATA[GD Library (Standard)]]></item>
                <item name="wcf.acp.option.image_adapter_type.imagick"><![CDATA[ImageMagick]]></item>
index e5e469a4f35fc3a82d61439990632ca6f5346c80..4521adf7fad9f2ef935fd3d8479086af9e26c4c6 100644 (file)
@@ -600,6 +600,8 @@ Examples for medium ID detection:
                <item name="wcf.acp.option.http_enable_no_cache_headers.description"><![CDATA[Prevents Browser’s caching ensuring your users are always viewing the latest content. Increases both traffic and server load.]]></item>
                <item name="wcf.acp.option.http_gzip_level"><![CDATA[gzip-compression level]]></item>
                <item name="wcf.acp.option.http_gzip_level.description"><![CDATA[Values between 1 and 9 are valid, it is recommended to use “1” for good compression without causing high server loads.]]></item>
+               <item name="wcf.acp.option.http_send_x_frame_options"><![CDATA[Disallow embedding in a frame]]></item>
+               <item name="wcf.acp.option.http_send_x_frame_options.description"><![CDATA[Sends the <a href="{@$__wcf->getPath()}acp/dereferrer.php?url={'http://en.wikipedia.org/wiki/Clickjacking'|rawurlencode}" class="externalURL">“X-Frame-Options”</a> header to prevent 3rd party sites from embedding this site in a frame (sends “SAMEORIGIN”).]]></item>
                <item name="wcf.acp.option.image_adapter_type"><![CDATA[Graphics Library]]></item>
                <item name="wcf.acp.option.image_adapter_type.gd"><![CDATA[GD Library (default)]]></item>
                <item name="wcf.acp.option.image_adapter_type.imagick"><![CDATA[ImageMagick]]></item>