Use X-Frame-Options header to protect against ClickJacking.

2010-01-13 13:03:56 +00:00
parent e8ce440fb7
commit 88af8f2779
2 changed files with 5 additions and 0 deletions
--- a/1
+++ b/1
@@ -56,6 +56,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 + [lang] Greek update, thanks to Panagiotis Papazoglou
 + [lang] Norwegian update, thanks to Sven-Erik Andersen 
 - bug #2929958 [import] Cannot import (French interface) 
+- [security] Use X-Frame-Options header to protect against ClickJacking.

 3.2.6.0 (not yet released)

--- a/libraries/header_http.inc.php
+++ b/libraries/header_http.inc.php
@@ -20,6 +20,10 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
 * Sends http headers
 */
 $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
+/* Prevent against ClickJacking by allowing frames only from same origin */
+if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
+    header('X-Frame-Options: SAMEORIGIN');
+}
 header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
 header('Last-Modified: ' . $GLOBALS['now']);
 header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1