Security fix: prevent click-jacking

craigk5n · Oct 14, 2021 · 6a3b8ea · 6a3b8ea
1 parent d9729b4
commit 6a3b8ea
Showing 1 changed file with 14 additions and 9 deletions.
diff --git a/includes/init.php b/includes/init.php
@@ -134,18 +134,23 @@ function print_header( $includes = '', $HeadX = '', $BodyX = '',
   //  <link href="//cdnjs.cloudflare.com/ajax/libs/normalize/6.0.0/normalize.css" rel="stylesheet">
   //  <link href="' . $incdir . '/css/punctuation.css" rel="stylesheet">';
 
+  // Prevent click-jacking by including a "frame-breaker" script in each page that should not be framed.
+  // Source: https://cheatsheetseries.owasp.org/cheatsheets/Clickjacking_Defense_Cheat_Sheet.html
+  Header("Content-Security-Policy: frame-ancestors 'self'"); // TODO: customize this via admin.php
+  $ret .= "\n<style id=\"antiClickjack\">\n  body{display:none !important;}\n</style>\n" .
+    "<script type=\"text/javascript\">\n" .
+    "  if (self === top) {\n" .
+    "      var antiClickjack = document.getElementById(\"antiClickjack\");\n" .
+    "      antiClickjack.parentNode.removeChild(antiClickjack);\n" .
+    "  } else {\n" .
+    "      top.location = self.location;\n" .
+    "  }\n" .
+    "</script>\n";
+
+
   // TODO: allow option to host bootstrap & jquery locally
   // TODO: move version info someplace else so we can update boostrap version by updating just one file.
   $ret .= $JQUERY;
-  $xret .= 
-    '<link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css" integrity="sha384-Gn5384xqQ1aoWXA+058RXPxPg6fy4IWvTNh0E263XmFcJlSAwiGgFAW/dAiS6JXm" crossorigin="anonymous">' .
-    '<script src="https://code.jquery.com/jquery-3.2.1.min.js"></script>' .
-    '<script src="https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q" crossorigin="anonymous"></script>' .
-    '<script src="https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl" crossorigin="anonymous"></script>' .
-    '<!-- Tiny color: https://github.com/bgrins/TinyColor/ -->' .
-    '<script src="includes/js/tinycolor.js"></script>' .
-    '<!-- Readable: https://github.com/aramk/readable-color -->' .
-    '<script src="includes/js/readable.js"></script>' . "\n";
 
   if( ! $disableUTIL )
     $js_ar[] = 'js/util.js';