<validationpattern>^[a-zA-Z0-9_]+$</validationpattern>
</option>
<!-- /general.system.cookie-->
- <!-- general.system.http -->
- <option name="http_send_x_frame_options">
- <categoryname>general.system.http</categoryname>
- <optiontype>boolean</optiontype>
- <defaultvalue>1</defaultvalue>
- </option>
- <!-- /general.system.http -->
<!-- general.system.packageServer -->
<option name="package_server_auth_code">
<categoryname>general.system.packageServer</categoryname>
</option>
</options>
</import>
+ <delete>
+ <option name="http_send_x_frame_options"/>
+ </delete>
</data>
\define('SEARCH_ENGINE', 'mysql');
\define('EXCEPTION_PRIVACY', 'public');
\define('COOKIE_PREFIX', 'wcf21_');
-\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
\define('PACKAGE_SERVER_AUTH_CODE', '');
\define('PROXY_SERVER_HTTP', '');
\define('IP_ADDRESS_SEARCH_ENGINE', '');
<p class="error">{lang}wcf.acp.index.tmpBroken{/lang}</p>
{/if}
-{if !HTTP_SEND_X_FRAME_OPTIONS}
- <p class="error">{lang}wcf.acp.index.allowsFrameEmbedding{/lang}</p>
-{/if}
-
{if $recaptchaWithoutKey}
<p class="error">{lang}wcf.acp.index.recaptchaWithoutKey{/lang}</p>
{/if}
);
}
- $xFrameOptionsLink = LinkHandler::getInstance()->getLink(
- 'Option',
- [
- 'id' => $optionCategories['general']->categoryID,
- 'optionName' => 'http_send_x_frame_options',
- ],
- '#category_general.system'
- );
-
$evaluationExpired = $evaluationPending = [];
foreach (ApplicationHandler::getInstance()->getApplications() as $application) {
if ($application->isTainted) {
WCF::getTPL()->assign([
'recaptchaWithoutKey' => $recaptchaWithoutKey,
'recaptchaKeyLink' => $recaptchaKeyLink,
- 'xFrameOptionsLink' => $xFrameOptionsLink,
'server' => $this->server,
'usersAwaitingApproval' => $usersAwaitingApproval,
'evaluationExpired' => $evaluationExpired,
// The captcha option related to the removed SearchForm was removed in 5.5.
\define('SEARCH_USE_CAPTCHA', 0);
+
+ // Disabling X-Frame-Options is no longer possible since 5.6.
+ \define('HTTP_SEND_X_FRAME_OPTIONS', 1);
}
/**
// define
\define('PACKAGE_ID', 0);
-\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
\define('CACHE_SOURCE_TYPE', 'disk');
\define('ENABLE_DEBUG_MODE', 1);
\define('ENABLE_BENCHMARK', 0);
$sameSite = '; SameSite=lax';
}
- if (!HTTP_SEND_X_FRAME_OPTIONS) {
- $sameSite = '; SameSite=none';
- }
-
\header(
'set-cookie: XSRF-TOKEN=' . \rawurlencode($xsrfToken) . '; path=/' . $cookieDomain . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite,
false
{
$cookieDomain = self::getCookieDomain();
- $sameSite = '';
- if (!HTTP_SEND_X_FRAME_OPTIONS) {
- $sameSite = '; SameSite=none';
- }
-
@\header(
'Set-Cookie: ' . \rawurlencode(COOKIE_PREFIX . $name) . '=' . \rawurlencode((string)$value) . ($expire ? '; expires=' . \gmdate(
'D, d-M-Y H:i:s',
$expire
- ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite . '; HttpOnly',
+ ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . '; HttpOnly',
false
);
}
self::sendNoCacheHeaders();
}
- // send X-Frame-Options
- if (HTTP_SEND_X_FRAME_OPTIONS) {
- @\header('X-Frame-Options: SAMEORIGIN');
- }
+ @\header('X-Frame-Options: SAMEORIGIN');
\ob_start([self::class, 'parseOutput']);
}
\define('COOKIE_PATH', '');
\define('COOKIE_DOMAIN', '');
-\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
-
\define('CACHE_SOURCE_TYPE', 'disk');
\define('IMAGE_ADAPTER_TYPE', 'gd');
\define('TIMEZONE', 'Europe/Berlin');
<item name="wcf.acp.option.error.tooLow"><![CDATA[Der angegebene Wert ist zu gering.{if $option->minvalue !== null} Der minimale Wert ist {#$option->minvalue}.{/if}]]></item>
<item name="wcf.acp.option.error.tooLong"><![CDATA[Der eingegebene Text ist zu lang.]]></item>
<item name="wcf.acp.option.error.tooShort"><![CDATA[Der eingegebene Text ist zu kurz.]]></item>
- <item name="wcf.acp.option.http_send_x_frame_options"><![CDATA[Einbindung in einem Frame verhindern (obsolet)]]></item>
- <item name="wcf.acp.option.http_send_x_frame_options.description"><![CDATA[Die Option zur Kontrolle der Einbindung in einem Frame ist veraltet, wird in einer zukünftigen Version entfernt und die Einbindung generell unterbunden. Die Einbindung in einem Frame reduziert die Sicherheit, da <a href="https://de.wikipedia.org/wiki/Clickjacking" class="externalURL">Clickjacking-Angriffe</a> ermöglicht werden. Darüber hinaus können bestimmte Sicherheitsmerkmale von Cookies in Frames nicht verwendet werden.]]></item>
<item name="wcf.acp.option.image_adapter_type"><![CDATA[Grafik-Bibliothek]]></item>
<item name="wcf.acp.option.image_adapter_type.gd"><![CDATA[GD Graphics Library (Standard)]]></item>
<item name="wcf.acp.option.image_adapter_type.imagick"><![CDATA[ImageMagick]]></item>
<item name="wcf.upload.error.uploadFailed"><![CDATA[Beim Hochladen der Datei ist ein unbekannter Fehler aufgetreten.]]></item>
</category>
</import>
+<delete>
+ <item name="wcf.acp.option.http_send_x_frame_options"/>
+ <item name="wcf.acp.option.http_send_x_frame_options.description"/>
+</delete>
</language>
<item name="wcf.acp.option.error.tooLow"><![CDATA[Under the minimum value{if $option->minvalue !== null} of {#$option->minvalue}{/if}.]]></item>
<item name="wcf.acp.option.error.tooLong"><![CDATA[The entered text is too long.]]></item>
<item name="wcf.acp.option.error.tooShort"><![CDATA[The entered text is too short.]]></item>
- <item name="wcf.acp.option.http_send_x_frame_options"><![CDATA[Disallow embedding in a frame (deprecated)]]></item>
- <item name="wcf.acp.option.http_send_x_frame_options.description"><![CDATA[The option to control embedding within a frame is deprecated, will be removed in a future version and embedding will be prevented in all cases. Allowing embedding reduces security by allowing <a href="https://en.wikipedia.org/wiki/Clickjacking" class="externalURL">Clickjacking attacks</a> to happen. In addition certain security features for cookies are not available within frames.]]></item>
<item name="wcf.acp.option.image_adapter_type"><![CDATA[Graphics Library]]></item>
<item name="wcf.acp.option.image_adapter_type.gd"><![CDATA[Use GD Graphics Library (default)]]></item>
<item name="wcf.acp.option.image_adapter_type.imagick"><![CDATA[Use ImageMagick]]></item>
<item name="wcf.upload.error.uploadFailed"><![CDATA[An unknown error occurred during the upload.]]></item>
</category>
</import>
+<delete>
+ <item name="wcf.acp.option.http_send_x_frame_options"/>
+ <item name="wcf.acp.option.http_send_x_frame_options.description"/>
+</delete>
</language>
projects / GitHub / WoltLab / WCF.git / commitdiff