From: Alexander Ebert <ebert@woltlab.com>
Date: Mon, 20 Sep 2021 13:58:51 +0000 (+0200)
Subject: Enable `X-Frame-Options` for the WCFSetup
X-Git-Tag: 5.4.8_dev_1~22
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=0750795fb8ad4cfd6c6bad7a0060d57a0f427bc9;p=GitHub%2FWoltLab%2FWCF.git

Enable `X-Frame-Options` for the WCFSetup

This has the side effect of suppressing `SameSite=none` for the cookies, which fails on insecure connections because this attribute value is valid for secure cookies only.

Resolves #4499
Follow up for 2a9d48c4badc4de2e0f2d2fc73c3af2bee39cce8
---

diff --git a/wcfsetup/install/files/options.inc.php b/wcfsetup/install/files/options.inc.php
index e5a7210d9b..edfa6df091 100644
--- a/wcfsetup/install/files/options.inc.php
+++ b/wcfsetup/install/files/options.inc.php
@@ -22,7 +22,7 @@ if (\file_exists(WCF_DIR . 'cookiePrefix.txt')) {
 \define('COOKIE_PATH', '');
 \define('COOKIE_DOMAIN', '');
 
-\define('HTTP_SEND_X_FRAME_OPTIONS', 0);
+\define('HTTP_SEND_X_FRAME_OPTIONS', 1);
 
 \define('BLACKLIST_IP_ADDRESSES', '');
 \define('BLACKLIST_USER_AGENTS', '');