[geeklog-cvs] geeklog: Added a config option to send an X-FRAME-OPTIONS HTTP h...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Thu Jun 11 05:25:23 EDT 2009
details: http://project.geeklog.net/cgi-bin/hgweb.cgi/rev/bd10538057fc
changeset: 7093:bd10538057fc
user: Dirk Haun <dirk at haun-online.de>
date: Thu Jun 11 10:35:38 2009 +0200
description:
Added a config option to send an X-FRAME-OPTIONS HTTP header to prevent "clickjacking"
diffstat:
language/english.php | 4 +++-
language/english_utf-8.php | 4 +++-
public_html/admin/install/config-install.php | 3 ++-
public_html/docs/english/config.html | 11 +++++++++++
public_html/docs/history | 4 +++-
public_html/lib-common.php | 4 ++++
sql/updates/mssql_1.5.2_to_1.6.0.php | 5 ++++-
sql/updates/mysql_1.5.2_to_1.6.0.php | 5 ++++-
8 files changed, 34 insertions(+), 6 deletions(-)
diffs (140 lines):
diff -r 3bfab85d3b7c -r bd10538057fc language/english.php
--- a/language/english.php Sun Jun 07 22:12:33 2009 +0200
+++ b/language/english.php Thu Jun 11 10:35:38 2009 +0200
@@ -1839,6 +1839,7 @@
'disable_autolinks' => "Disable Autolinks?",
'clickable_links' => 'Make URLs clickable?',
'compressed_output' => 'Send compressed output?',
+ 'frame_options' => 'Protection against "clickjacking"',
'censormode' => "Censor Mode?",
'censorreplace' => "Censor Replace Text",
'censorlist' => "Censor List",
@@ -1947,7 +1948,8 @@
18 => array('Disabled' => 0, 'Enabled (Exact Match)' => 1, 'Enabled (Word Beginning)' => 2, 'Enabled (Word Fragment)' => 3),
19 => array('Google' => 'google', 'Table' => 'table'),
20 => array('Exact Phrase' => 'phrase', 'All of The Words' => 'all', 'Any of The Words' => 'any'),
- 21 => array('HTML 4.01 Transitional' => 'html401transitional', 'HTML 4.01 Strict' => 'html401strict', 'XHTML 1.0 Transitional' => 'xhtml10transitional', 'XHTML 1.0 Strict' => 'xhtml10strict')
+ 21 => array('HTML 4.01 Transitional' => 'html401transitional', 'HTML 4.01 Strict' => 'html401strict', 'XHTML 1.0 Transitional' => 'xhtml10transitional', 'XHTML 1.0 Strict' => 'xhtml10strict'),
+ 22 => array('Strict' => 'DENY', 'Same Origin' => 'SAMEORIGIN', '(disabled)' => '')
);
?>
diff -r 3bfab85d3b7c -r bd10538057fc language/english_utf-8.php
--- a/language/english_utf-8.php Sun Jun 07 22:12:33 2009 +0200
+++ b/language/english_utf-8.php Thu Jun 11 10:35:38 2009 +0200
@@ -1839,6 +1839,7 @@
'disable_autolinks' => "Disable Autolinks?",
'clickable_links' => 'Make URLs clickable?',
'compressed_output' => 'Send compressed output?',
+ 'frame_options' => 'Protection against "clickjacking"',
'censormode' => "Censor Mode?",
'censorreplace' => "Censor Replace Text",
'censorlist' => "Censor List",
@@ -1947,7 +1948,8 @@
18 => array('Disabled' => 0, 'Enabled (Exact Match)' => 1, 'Enabled (Word Beginning)' => 2, 'Enabled (Word Fragment)' => 3),
19 => array('Google' => 'google', 'Table' => 'table'),
20 => array('Exact Phrase' => 'phrase', 'All of The Words' => 'all', 'Any of The Words' => 'any'),
- 21 => array('HTML 4.01 Transitional' => 'html401transitional', 'HTML 4.01 Strict' => 'html401strict', 'XHTML 1.0 Transitional' => 'xhtml10transitional', 'XHTML 1.0 Strict' => 'xhtml10strict')
+ 21 => array('HTML 4.01 Transitional' => 'html401transitional', 'HTML 4.01 Strict' => 'html401strict', 'XHTML 1.0 Transitional' => 'xhtml10transitional', 'XHTML 1.0 Strict' => 'xhtml10strict'),
+ 22 => array('Strict' => 'DENY', 'Same Origin' => 'SAMEORIGIN', '(disabled)' => '')
);
?>
diff -r 3bfab85d3b7c -r bd10538057fc public_html/admin/install/config-install.php
--- a/public_html/admin/install/config-install.php Sun Jun 07 22:12:33 2009 +0200
+++ b/public_html/admin/install/config-install.php Thu Jun 11 10:35:38 2009 +0200
@@ -313,7 +313,8 @@
$c->add('cron_schedule_interval',0,'text',7,31,NULL,860,TRUE);
$c->add('disable_autolinks',0,'select',7,31,0,1750,TRUE);
$c->add('clickable_links',1,'select',7,31,1,1753,TRUE);
- $c->add('compressed_output',0,'select',7,31,1,1757,TRUE);
+ $c->add('compressed_output',0,'select',7,31,1,1756,TRUE);
+ $c->add('frame_options','DENY','select',7,31,22,1758,TRUE);
$c->add('fs_debug', NULL, 'fieldset', 7, 32, NULL, 0, TRUE);
$c->add('rootdebug',FALSE,'select',7,32,1,520,TRUE);
diff -r 3bfab85d3b7c -r bd10538057fc public_html/docs/english/config.html
--- a/public_html/docs/english/config.html Sun Jun 07 22:12:33 2009 +0200
+++ b/public_html/docs/english/config.html Thu Jun 11 10:35:38 2009 +0200
@@ -1368,6 +1368,17 @@
however, result in slightly more load on the webserver.<br>
For now, this feature should be considered <strong>experimental</strong> and
hasn't been implemented for all HTML output yet.</td></tr>
+<tr>
+ <td valign="top"><a name="desc_frame_options">frame_options</a></td>
+ <td valign="top">DENY</td>
+ <td valign="top">Protection against <a
+ href="http://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a>: This
+ option indicates that the site's content should not be displayed in a frame.
+ This only works, however, when the visitor's browser respects the
+ <tt>X-FRAME-OPTIONS</tt> HTTP header. Options are to disallow all framing
+ (Strict), only allow framing from within the same site (Same Origin), or to
+ allow all framing (disabled). We strongly suggest <em>not</em> to disable
+ this option.</td></tr>
</table>
<h3><a name="misc_debug">Miscellaneous: Debug</a></h3>
diff -r 3bfab85d3b7c -r bd10538057fc public_html/docs/history
--- a/public_html/docs/history Sun Jun 07 22:12:33 2009 +0200
+++ b/public_html/docs/history Thu Jun 11 10:35:38 2009 +0200
@@ -1,6 +1,6 @@
Geeklog History/Changes:
-Jun ??, 2009 (1.6.0rc1)
+Jun ??, 2009 (1.6.0b3)
------------
Geeklog 1.6.0 incorporates the following projects implemented during
@@ -11,6 +11,8 @@
+ Comment moderation and editable comments, by Jared Wenerd
Changes since 1.6.0b2:
+- Added a config option to send an X-FRAME-OPTIONS HTTP header to prevent
+ "clickjacking" (requires browser support) [Dirk]
- Prevent XSS in the install script (reported independently by Nemesis and MaXe)
[Dirk]
- Removed old plugin API function plugin_commentsupport from the Calendar,
diff -r 3bfab85d3b7c -r bd10538057fc public_html/lib-common.php
--- a/public_html/lib-common.php Sun Jun 07 22:12:33 2009 +0200
+++ b/public_html/lib-common.php Thu Jun 11 10:35:38 2009 +0200
@@ -881,6 +881,10 @@
// send out the charset header
header('Content-Type: text/html; charset=' . COM_getCharset());
+ if (!empty($_CONF['frame_options'])) {
+ header('X-FRAME-OPTIONS: ' . $_CONF['frame_options']);
+ }
+
$header = new Template( $_CONF['path_layout'] );
$header->set_file( array(
'header' => 'header.thtml',
diff -r 3bfab85d3b7c -r bd10538057fc sql/updates/mssql_1.5.2_to_1.6.0.php
--- a/sql/updates/mssql_1.5.2_to_1.6.0.php Sun Jun 07 22:12:33 2009 +0200
+++ b/sql/updates/mssql_1.5.2_to_1.6.0.php Thu Jun 11 10:35:38 2009 +0200
@@ -131,7 +131,10 @@
$c->add('clickable_links',1,'select',7,31,1,1753,TRUE);
// experimental: compress output before sending it to the browser
- $c->add('compressed_output',0,'select',7,31,1,1757,TRUE);
+ $c->add('compressed_output',0,'select',7,31,1,1756,TRUE);
+
+ // for the X-FRAME-OPTIONS header (Clickjacking protection)
+ $c->add('frame_options','DENY','select',7,31,22,1758,TRUE);
return true;
}
diff -r 3bfab85d3b7c -r bd10538057fc sql/updates/mysql_1.5.2_to_1.6.0.php
--- a/sql/updates/mysql_1.5.2_to_1.6.0.php Sun Jun 07 22:12:33 2009 +0200
+++ b/sql/updates/mysql_1.5.2_to_1.6.0.php Thu Jun 11 10:35:38 2009 +0200
@@ -117,7 +117,10 @@
$c->add('clickable_links',1,'select',7,31,1,1753,TRUE);
// experimental: compress output before sending it to the browser
- $c->add('compressed_output',0,'select',7,31,1,1757,TRUE);
+ $c->add('compressed_output',0,'select',7,31,1,1756,TRUE);
+
+ // for the X-FRAME-OPTIONS header (Clickjacking protection)
+ $c->add('frame_options','DENY','select',7,31,22,1758,TRUE);
return true;
}
More information about the geeklog-cvs
mailing list