- // Frame-busting code to avoid clickjacking attacks.
- $this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
+ // Anti-framing code to avoid clickjacking attacks in older browsers.
+ // This will show a blank page if the page is being framed, which is
+ // consistent with the behavior of the 'X-Frame-Options: SAMEORIGIN'
+ // header, which prevents framing in newer browser.
+ if (common_config('javascript', 'bustframes')) {
+ $this->inlineScript('if (window.top !== window.self) { document.write = ""; window.top.location = window.self.location; setTimeout(function () { document.body.innerHTML = ""; }, 1); window.self.onload = function () { document.body.innerHTML = ""; }; }');
+ }