Upgrade anti-framing, anti-clickjacking code

lib/action.php

@@ -334,9 +334,12 @@ class Action extends HTMLOutputter // lawsuit
                 $this->inlineScript('var _peopletagAC = "' .
                     common_local_url('peopletagautocomplete') . '";');
                 $this->showScriptMessages();
-                // Frame-busting code to avoid clickjacking attacks.
+                // Anti-framing code to avoid clickjacking attacks in older browsers.
+                // This will show a blank page if the page is being framed, which is
+                // consistent with the behavior of the 'X-Frame-Options: SAMEORIGIN'
+                // header, which prevents framing in newer browser.
                 if (common_config('javascript', 'bustframes')) {
-                    $this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
+                    $this->inlineScript('if (window.top !== window.self) { document.write = ""; window.top.location = window.self.location; setTimeout(function () { document.body.innerHTML = ""; }, 1); window.self.onload = function () { document.body.innerHTML = ""; }; }');
                 }
                 Event::handle('EndShowStatusNetScripts', array($this));
                 Event::handle('EndShowLaconicaScripts', array($this));

lib/htmloutputter.php

@@ -108,6 +108,13 @@ class HTMLOutputter extends XMLOutputter
 
         header('Content-Type: '.$type);
 
+	// Output anti-framing headers to prevent clickjacking (respected by newer
+        // browsers).
+	if (common_config('javascript', 'bustframes')) {
+            header('X-XSS-Protection 1; mode=block'); // detect XSS Reflection attacks
+            header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch
+        }
+
         $this->extraHeaders();
         if (preg_match("/.*\/.*xml/", $type)) {
             // Required for XML documents