Add framebusting JavaScript to help avoid clickjacking attacks.

diff --git a/lib/action.php b/lib/action.php
index cd0db5399997b8facf5132a3702ea5c3b2337433..48d5821a17324ea6573429f6b42a02b8ba847f68 100644 (file)
--- a/lib/action.php
+++ b/lib/action.php
@@ -205,6 +205,9 @@ class Action extends HTMLOutputter // lawsuit
                 $this->element('script', array('type' => 'text/javascript',
                                                'src' => common_path('js/util.js?version='.LACONICA_VERSION)),
                                ' ');
+                // Frame-busting code to avoid clickjacking attacks.
+                $this->element('script', array('type' => 'text/javascript'),
+                               'if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
                 Event::handle('EndShowLaconicaScripts', array($this));
             }
             Event::handle('EndShowScripts', array($this));