From cf3f73f5d0f549c7833da0483a168effe627ca16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Wed, 13 Jan 2010 13:03:56 +0000
Subject: [PATCH] Use X-Frame-Options header to protect against ClickJacking.

---
 ChangeLog                     | 1 +
 libraries/header_http.inc.php | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 488627b84..cb6bc06b2 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -53,6 +53,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 + [lang] Greek update, thanks to Panagiotis Papazoglou
 + [lang] Norwegian update, thanks to Sven-Erik Andersen 
 - bug #2929958 [import] Cannot import (French interface) 
+- [security] Use X-Frame-Options header to protect against ClickJacking.
 
 3.2.6.0 (not yet released)
 
diff --git a/libraries/header_http.inc.php b/libraries/header_http.inc.php
index 9d2025f02..2a1c44564 100644
--- a/libraries/header_http.inc.php
+++ b/libraries/header_http.inc.php
@@ -20,6 +20,10 @@ if (isset($_REQUEST['GLOBALS']) || isset($_FILES['GLOBALS'])) {
  * Sends http headers
  */
 $GLOBALS['now'] = gmdate('D, d M Y H:i:s') . ' GMT';
+/* Prevent against ClickJacking by allowing frames only from same origin */
+if (!$GLOBALS['cfg']['AllowThirdPartyFraming']) {
+    header('X-Frame-Options: SAMEORIGIN');
+}
 header('Expires: ' . $GLOBALS['now']); // rfc2616 - Section 14.21
 header('Last-Modified: ' . $GLOBALS['now']);
 header('Cache-Control: no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0'); // HTTP/1.1