diff --git a/lib/action.php b/lib/action.php index 3492873c59..81aa8eb12c 100644 --- a/lib/action.php +++ b/lib/action.php @@ -334,9 +334,12 @@ class Action extends HTMLOutputter // lawsuit $this->inlineScript('var _peopletagAC = "' . common_local_url('peopletagautocomplete') . '";'); $this->showScriptMessages(); - // Frame-busting code to avoid clickjacking attacks. + // Anti-framing code to avoid clickjacking attacks in older browsers. + // This will show a blank page if the page is being framed, which is + // consistent with the behavior of the 'X-Frame-Options: SAMEORIGIN' + // header, which prevents framing in newer browser. if (common_config('javascript', 'bustframes')) { - $this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }'); + $this->inlineScript('if (window.top !== window.self) { document.write = ""; window.top.location = window.self.location; setTimeout(function () { document.body.innerHTML = ""; }, 1); window.self.onload = function () { document.body.innerHTML = ""; }; }'); } Event::handle('EndShowStatusNetScripts', array($this)); Event::handle('EndShowLaconicaScripts', array($this)); diff --git a/lib/htmloutputter.php b/lib/htmloutputter.php index 3b3c1913a1..e358b2be5d 100644 --- a/lib/htmloutputter.php +++ b/lib/htmloutputter.php @@ -108,6 +108,13 @@ class HTMLOutputter extends XMLOutputter header('Content-Type: '.$type); + // Output anti-framing headers to prevent clickjacking (respected by newer + // browsers). + if (common_config('javascript', 'bustframes')) { + header('X-XSS-Protection 1; mode=block'); // detect XSS Reflection attacks + header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch + } + $this->extraHeaders(); if (preg_match("/.*\/.*xml/", $type)) { // Required for XML documents