configuration option to bust frames or not

README

@@ -1139,6 +1139,9 @@ ssl: Whether to use SSL for JavaScript files. Default is null, which means
 sslserver: SSL server to use when page is HTTPS-encrypted. If
     unspecified, site ssl server and so on will be used.
 sslpath: If sslserver if defined, path to use when page is HTTPS-encrypted.
+bustframes: If true, all web pages will break out of framesets. If false,
+	    can comfortably live in a frame or iframe... probably. Default
+	    to true.
 
 xmpp
 ----

lib/action.php

@@ -298,7 +298,9 @@ class Action extends HTMLOutputter // lawsuit
                 $this->script('util.min.js');
                 $this->showScriptMessages();
                 // Frame-busting code to avoid clickjacking attacks.
-                $this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
+                if (common_config('javascript', 'bustframes')) {
+                    $this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
+                }
                 Event::handle('EndShowStatusNetScripts', array($this));
                 Event::handle('EndShowLaconicaScripts', array($this));
             }

lib/default.php

@@ -154,7 +154,8 @@ $default =
         'javascript' =>
         array('server' => null,
               'path'=> null,
-              'ssl' => null),
+              'ssl' => null,
+              'bustframes' => true),
         'local' => // To override path/server for themes in 'local' dir (not currently applied to local plugins)
         array('server' => null,
               'dir' => null,