diff --git a/ChangeLog b/ChangeLog
index 7609616db..d73196056 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -93,6 +93,8 @@ danbarry
 - patch #2020630 [export] Safari and timedate, thanks to Sebastian Mendel,
   Isaac Bennetch and Jürgen Wind 
 - bug #2022182 [import, export] Import/Export fails because of Mac files
+- [security] protection against cross-frame scripting and
+  new directive AllowThirdPartyFraming, thanks to YGN Ethical Hacker Group
 
 2.11.7.1 (2008-07-15)
 - bug [security] XSRF/CSRF by manipulating the db,
diff --git a/Documentation.html b/Documentation.html
index 0dd544407..1c18ff8a4 100644
--- a/Documentation.html
+++ b/Documentation.html
@@ -577,6 +577,11 @@ GRANT ALL PRIVILEGES ON user_base.* TO 'real_user'@localhost IDENTIFIED BY 'real
     You can set this parameter to <tt>TRUE</tt> to stop this message 
     from appearing.</dd>
 
+    <dt id="cfg_AllowThirdPartyFraming">$cfg['AllowThirdPartyFraming'] boolean</dt>
+    <dd>Setting this to <tt>true</tt> allows a page located on a different
+    domain to call phpMyAdmin inside a frame, and is a potential security
+    hole allowing cross-frame scripting attacks.</dd>
+
     <dt id="cfg_blowfish_secret">$cfg['blowfish_secret'] string</dt>
     <dd>The &quot;cookie&quot; auth_type uses blowfish
         algorithm to encrypt the password.<br />
diff --git a/libraries/config.default.php b/libraries/config.default.php
index ec7715e58..750850cf2 100644
--- a/libraries/config.default.php
+++ b/libraries/config.default.php
@@ -53,6 +53,14 @@ $cfg['PmaNoRelation_DisableWarning'] = false;
  */
 $cfg['SuhosinDisableWarning'] = false;
 
+/**
+ * Allows phpMyAdmin to be included from a document located on
+ * another domain; setting this to true is a potential security hole
+ *
+ * @global boolean $cfg['AllowThirdPartyFraming']
+ */
+$cfg['AllowThirdPartyFraming'] = false;
+
 /**
  * The 'cookie' auth_type uses blowfish algorithm to encrypt the password. If
  * at least one server configuration uses 'cookie' auth_type, enter here a
diff --git a/libraries/header_scripts.inc.php b/libraries/header_scripts.inc.php
index ae237aba7..88e48d102 100644
--- a/libraries/header_scripts.inc.php
+++ b/libraries/header_scripts.inc.php
@@ -13,6 +13,27 @@ if (! defined('PHPMYADMIN')) {
  */
 require_once './libraries/common.inc.php';
 
+
+// Cross-framing protection
+if ( false === $GLOBALS['cfg']['AllowThirdPartyFraming']) {
+?>
+<script type="text/javascript">
+try {
+    // can't access this if on a different domain
+    var topdomain = top.document.domain;
+    // double-check just for sure
+    if (topdomain != self.document.domain) {
+        alert("Redirecting...");
+        top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+    }
+}
+catch(e) {
+    alert("Redirecting... (error: " + e);
+    top.location.replace(self.document.URL.substring(0, self.document.URL.lastIndexOf("/")+1));
+}
+</script>
+<?php
+}
 // generate title
 $title = str_replace(
             array(