check for 'post' verb in microapps by default

[quix0rs-gnu-social.git] / lib / htmloutputter.php

diff --git a/lib/htmloutputter.php b/lib/htmloutputter.php
index 3b3c1913a1dc0e427ab4f684a3fde9476a6bbff6..9a43ef069efaae237df31f7b48931827ec1103ee 100644 (file)
--- a/lib/htmloutputter.php
+++ b/lib/htmloutputter.php
@@ -108,6 +108,13 @@ class HTMLOutputter extends XMLOutputter
 
         header('Content-Type: '.$type);
 
+       // Output anti-framing headers to prevent clickjacking (respected by newer
+        // browsers).
+       if (common_config('javascript', 'bustframes')) {
+            header('X-XSS-Protection: 1; mode=block'); // detect XSS Reflection attacks
+            header('X-Frame-Options: SAMEORIGIN'); // no rendering if origin mismatch
+        }
+
         $this->extraHeaders();
         if (preg_match("/.*\/.*xml/", $type)) {
             // Required for XML documents