11 years ago · 1e3d6c90de
--- a/Sources/ManageSettings.php
+++ b/Sources/ManageSettings.php
@@ -605,6 +605,8 @@ function ModifyGeneralSecuritySettings($return_config = false)
 
 		'',
 
 			// Reporting of personal messages?
 
 			array('check', 'enableReportPM'),
 
+		'',
 
+			array('select', 'frame_security', array('SAMEORIGIN' => $txt['setting_frame_security_SAMEORIGIN'], 'DENY' => $txt['setting_frame_security_DENY'], 'DISABLE' => $txt['setting_frame_security_DISABLE'])),
 
 	);
 
 
 
 	call_integration_hook('integrate_general_security_settings', array(&$config_vars));
--- a/Sources/Security.php
+++ b/Sources/Security.php
@@ -1284,7 +1284,7 @@ RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml';
 
 	{
 
 		$fh = @fopen($path . '/index.php', 'w');
 
 		if ($fh) {
 
-			fwrite($fh, '<?php
 
+			fwrite($fh, '<' . '?php
 
 
 
 /**
 
  * This file is here solely to protect your ' . $directoryname . ' directory.
@@ -1301,7 +1301,7 @@ if (file_exists(dirname(dirname(__FILE__)) . \'/Settings.php\'))
 
 else
 
 	exit;
 
 
 
-?>');
 
+?'. '>');
 
 			fclose($fh);
 
 		}
 
 		$errors[] = 'index-php_cannot_create_file';
@@ -1352,4 +1352,30 @@ function constructBanQueryIP($fullip)
 
 	return $ban_query;
 
 }
 
 
 
+/**
 
+* This sets the X-Frame-Options header.
 
+*
 
+* @param string $option the frame option, defaults to deny.
 
+* @return void.
 
+* @since 3.0
 
+* @version 3.0
 
+*/
 
+function frameOptionsHeader($override = null)
 
+{
 
+	global $modSettings;
 
+
 
+	$option = 'SAMEORIGIN';
 
+	if (is_null($override) && !empty($modSettings['frame_security']))
 
+		$option = $modSettings['frame_security'];
 
+	elseif (in_array($override, array('SAMEORIGIN', 'DENY', 'SAMEORIGIN')))
 
+		$option = $override;
 
+
 
+	// Don't bother setting the header if we have disabled it.
 
+	if ($option == 'DISABLE')
 
+		return;
 
+
 
+	// Finally set it.
 
+	header('X-Frame-Options: ' . $option);
 
+}
 
+
 
 ?>
--- a/Sources/Subs.php
+++ b/Sources/Subs.php
@@ -2592,6 +2592,9 @@ function obExit($header = null, $do_footer = null, $from_index = false, $from_fa
 
 	if ($do_footer === null)
 
 		$do_footer = $do_header;
 
 
 
+	// We should set our security headers now.
 
+	frameOptionsHeader();
 
+
 
 	// Has the template/header been done yet?
 
 	if ($do_header)
 
 	{
--- a/Themes/default/languages/ManageSettings.english.php
+++ b/Themes/default/languages/ManageSettings.english.php
@@ -384,4 +384,9 @@ $txt['languages_download_complete'] = 'Installation Complete';
 
 $txt['languages_download_complete_desc'] = 'Language pack installed successfully. Please click <a href="%1$s">here</a> to return to the languages page';
 
 $txt['languages_delete_confirm'] = 'Are you sure you want to delete this language?';
 
 
 
-?>
 
+$txt['setting_frame_security'] = 'Frame Security Options';
 
+$txt['setting_frame_security_SAMEORIGIN'] = 'Allow Same Origin';
 
+$txt['setting_frame_security_DENY'] = 'Deny all frames';
 
+$txt['setting_frame_security_DISABLE'] = 'Disabled';
 
+
 
+?>