Only allow iFrame integration within the same domain #1114

Admidio · Oct 17, 2021 · 2f4520d · 2f4520d
1 parent a71534e
commit 2f4520d
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 1 deletion.
diff --git a/adm_program/system/bootstrap/constants.php b/adm_program/system/bootstrap/constants.php
@@ -24,7 +24,7 @@
 
 define('ADMIDIO_VERSION_MAIN', 4);
 define('ADMIDIO_VERSION_MINOR', 0);
-define('ADMIDIO_VERSION_PATCH', 10);
+define('ADMIDIO_VERSION_PATCH', 11);
 define('ADMIDIO_VERSION_BETA', 0);
 define('ADMIDIO_VERSION', ADMIDIO_VERSION_MAIN . '.' . ADMIDIO_VERSION_MINOR . '.' . ADMIDIO_VERSION_PATCH);
 

diff --git a/adm_program/system/classes/HtmlPage.php b/adm_program/system/classes/HtmlPage.php
@@ -449,6 +449,9 @@ public function show()
             $hasPreviousUrl = true;
         }
 
+        // disallow iFrame integration from other domains to avoid clickjacking attacks
+        header('X-Frame-Options: SAMEORIGIN');
+
         // add page functions menu to global menu
         $gMenu->addFunctionsNode($this->menuNodePageFunctions);
 

diff --git a/adm_program/system/classes/HtmlPageInstallation.php b/adm_program/system/classes/HtmlPageInstallation.php
@@ -114,6 +114,9 @@ public function setUpdateModus()
      */
     public function show()
     {
+        // disallow iFrame integration from other domains to avoid clickjacking attacks
+        header('X-Frame-Options: SAMEORIGIN');
+
         $this->assignDefaultVariables();
         $this->display('index.tpl');
     }
@@ -132,6 +135,9 @@ public function show()
      */
     public function showMessage($outputMode, $headline, $text, $buttonText, $buttonIcon, $destinationUrl)
     {
+        // disallow iFrame integration from other domains to avoid clickjacking attacks
+        header('X-Frame-Options: SAMEORIGIN');
+
         $this->assign('outputMode', $outputMode);
         $this->assign('messageHeadline', $headline);
         $this->assign('messageText', $text);