From 5c754932e767b5bbf8a957590b4f0a9fead1d5a4 Mon Sep 17 00:00:00 2001
From: Petr Skoda <commits@skodak.org>
Date: Thu, 14 Jul 2011 22:01:23 +0200
Subject: [PATCH] MDL-28344 new option to prevent clickjacking via frame
 embedding

---
 admin/settings/security.php | 1 +
 lang/en/admin.php           | 2 ++
 lib/weblib.php              | 6 ++++++
 3 files changed, 9 insertions(+)

diff --git a/admin/settings/security.php b/admin/settings/security.php
index 8df02f532f9df..b2b264c5c2e61 100644
--- a/admin/settings/security.php
+++ b/admin/settings/security.php
@@ -82,6 +82,7 @@
     $temp->add(new admin_setting_configcheckbox('loginhttps', get_string('loginhttps', 'admin'), get_string('configloginhttps', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('cookiesecure', get_string('cookiesecure', 'admin'), get_string('configcookiesecure', 'admin'), 0));
     $temp->add(new admin_setting_configcheckbox('cookiehttponly', get_string('cookiehttponly', 'admin'), get_string('configcookiehttponly', 'admin'), 0));
+    $temp->add(new admin_setting_configcheckbox('allowframembedding', get_string('allowframembedding', 'admin'), get_string('allowframembedding_help', 'admin'), 0));
     $ADMIN->add('security', $temp);
 
 
diff --git a/lang/en/admin.php b/lang/en/admin.php
index 1dfba8405083a..134367b806945 100644
--- a/lang/en/admin.php
+++ b/lang/en/admin.php
@@ -47,6 +47,8 @@
 $string['allowdeletes'] = 'Allow deletes';
 $string['allowediplist'] = 'Allowed IP list';
 $string['allowemailaddresses'] = 'Allowed email domains';
+$string['allowframembedding'] = 'Allow frame embedding';
+$string['allowframembedding_help'] = 'Allow embedding of this site in frames on external sites. Enabling of this feature is not recommended for security reasons.';
 $string['allowobjectembed'] = 'Allow EMBED and OBJECT tags';
 $string['allowrenames'] = 'Allow renames';
 $string['allowthemechangeonurl'] = 'Allow theme changes in the URL';
diff --git a/lib/weblib.php b/lib/weblib.php
index 2b806de22eb6d..f2d058390244a 100644
--- a/lib/weblib.php
+++ b/lib/weblib.php
@@ -1860,6 +1860,8 @@ function get_html_lang($dir = false) {
  * @param $cacheable Can this page be cached on back?
  */
 function send_headers($contenttype, $cacheable = true) {
+    global $CFG;
+
     @header('Content-Type: ' . $contenttype);
     @header('Content-Script-Type: text/javascript');
     @header('Content-Style-Type: text/css');
@@ -1878,6 +1880,10 @@ function send_headers($contenttype, $cacheable = true) {
         @header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
     }
     @header('Accept-Ranges: none');
+
+    if (empty($CFG->allowframembedding)) {
+        @header('X-Frame-Options: sameorigin');
+    }
 }
 
 /**