MDL-28344 new option to prevent clickjacking via frame embedding

admin/settings/security.php

@@ -82,6 +82,7 @@
     $temp->add(new admin_setting_configcheckbox('loginhttps', get_string('loginhttps', 'admin'), get_string('configloginhttps', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('cookiesecure', get_string('cookiesecure', 'admin'), get_string('configcookiesecure', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('cookiehttponly', get_string('cookiehttponly', 'admin'), get_string('configcookiehttponly', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('allowframembedding', get_string('allowframembedding', 'admin'), get_string('allowframembedding_help', 'admin'), 0));
     $ADMIN->add('security', $temp);
 
 

lang/en/admin.php

@@ -47,6 +47,8 @@
 $string['allowdeletes'] = 'Allow deletes';
 $string['allowediplist'] = 'Allowed IP list';
 $string['allowemailaddresses'] = 'Allowed email domains';
+$string['allowframembedding'] = 'Allow frame embedding';
+$string['allowframembedding_help'] = 'Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.';
 $string['allowobjectembed'] = 'Allow EMBED and OBJECT tags';
 $string['allowrenames'] = 'Allow renames';
 $string['allowthemechangeonurl'] = 'Allow theme changes in the URL';

lib/weblib.php

@@ -1860,6 +1860,8 @@ function get_html_lang($dir = false) {
  * @param $cacheable Can this page be cached on back?
  */
 function send_headers($contenttype, $cacheable = true) {
+    global $CFG;
+
     @header('Content-Type: ' . $contenttype);
     @header('Content-Script-Type: text/javascript');
     @header('Content-Style-Type: text/css');
@@ -1878,6 +1880,10 @@ function send_headers($contenttype, $cacheable = true) {
         @header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
     }
     @header('Accept-Ranges: none');
+
+    if (empty($CFG->allowframembedding)) {
+        @header('X-Frame-Options: sameorigin');
+    }
 }
 
 /**