From: Reed Loden <reed@reedloden.com>
Date: Sat, 18 Dec 2010 08:40:24 +0000 (-0800)
Subject: Bug 475894 - Send the 'X-Frame-Options: SAMEORIGIN' header to help protect against... 
X-Git-Tag: bugzilla-4.1.1~125
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c9c81ee7156fc47d834317644baa25cec7cf16e4;p=thirdparty%2Fbugzilla.git

Bug 475894 - Send the 'X-Frame-Options: SAMEORIGIN' header to help protect against clickjacking.
[r=mkanat a=mkanat]
---

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index b32f76ae01..7c42d6f63c 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -287,6 +287,12 @@ sub header {
         unshift(@_, '-strict_transport_security' => $sts_opts);
     }
 
+    # Add X-Frame-Options header to prevent framing and subsequent
+    # possible clickjacking problems.
+    unless ($self->url_is_attachment_base) {
+        unshift(@_, '-x_frame_options' => 'SAMEORIGIN');
+    }
+
     return $self->SUPER::header(@_) || "";
 }