Merge pull request #341 from jdarwood007/csp-frame-header

Add Frame Security Options header

Sources/ManageSettings.php

@@ -605,6 +605,8 @@ function ModifyGeneralSecuritySettings($return_config = false)
 		'',
 			// Reporting of personal messages?
 			array('check', 'enableReportPM'),
+		'',
+			array('select', 'frame_security', array('SAMEORIGIN' => $txt['setting_frame_security_SAMEORIGIN'], 'DENY' => $txt['setting_frame_security_DENY'], 'DISABLE' => $txt['setting_frame_security_DISABLE'])),
 	);
 
 	call_integration_hook('integrate_general_security_settings', array(&$config_vars));

Sources/Security.php

@@ -1286,7 +1286,7 @@ RemoveHandler .php .php3 .phtml .cgi .fcgi .pl .fpl .shtml';
 	{
 		$fh = @fopen($path . '/index.php', 'w');
 		if ($fh) {
-			fwrite($fh, '<?php
+			fwrite($fh, '<' . '?php
 
 /**
  * This file is here solely to protect your ' . $directoryname . ' directory.
@@ -1303,7 +1303,7 @@ if (file_exists(dirname(dirname(__FILE__)) . \'/Settings.php\'))
 else
 	exit;
 
-?>');
+?'. '>');
 			fclose($fh);
 		}
 		$errors[] = 'index-php_cannot_create_file';
@@ -1354,4 +1354,29 @@ function constructBanQueryIP($fullip)
 	return $ban_query;
 }
 
-?>
+/**
+* This sets the X-Frame-Options header.
+*
+* @param string $option the frame option, defaults to deny.
+* @return void.
+* @since 2.1
+*/
+function frameOptionsHeader($override = null)
+{
+	global $modSettings;
+
+	$option = 'SAMEORIGIN';
+	if (is_null($override) && !empty($modSettings['frame_security']))
+		$option = $modSettings['frame_security'];
+	elseif (in_array($override, array('SAMEORIGIN', 'DENY', 'SAMEORIGIN')))
+		$option = $override;
+
+	// Don't bother setting the header if we have disabled it.
+	if ($option == 'DISABLE')
+		return;
+
+	// Finally set it.
+	header('X-Frame-Options: ' . $option);
+}
+
+?>

Themes/default/languages/ManageSettings.english.php

@@ -384,4 +384,9 @@ $txt['languages_download_complete'] = 'Installation Complete';
 $txt['languages_download_complete_desc'] = 'Language pack installed successfully. Please click <a href="%1$s">here</a> to return to the languages page';
 $txt['languages_delete_confirm'] = 'Are you sure you want to delete this language?';
 
-?>
+$txt['setting_frame_security'] = 'Frame Security Options';
+$txt['setting_frame_security_SAMEORIGIN'] = 'Allow Same Origin';
+$txt['setting_frame_security_DENY'] = 'Deny all frames';
+$txt['setting_frame_security_DISABLE'] = 'Disabled';
+
+?>

index.php

@@ -178,6 +178,9 @@ function smf_main()
 		die("\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02\x44\x01\x00\x3B");
 	}
 
+	// We should set our security headers now.
+	frameOptionsHeader();
+
 	// Load the user's cookie (or set as guest) and load their settings.
 	loadUserSettings();