Prevent other sites from loading the login page in an iframe.

This patch adds the X-Frame-Options header to prevent simpleSAMLphp pages from being used in iframes on third-party sited. Thanks to Thijs Kinkhorst for adding this! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3004 44740490-163a-0410-bde0-09ae8108e29a

Prevent other sites from loading the login page in an iframe.
This patch adds the X-Frame-Options header to prevent simpleSAMLphp pages from being used in iframes on third-party sited. Thanks to Thijs Kinkhorst for adding this! git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3004 44740490-163a-0410-bde0-09ae8108e29a
a923d004 · Olav Morken · f32b2236 · a923d004
Commit a923d004 authored 13 years ago by Olav Morken
--- a/templates/includes/header.php
+++ b/templates/includes/header.php
@@ -29,8 +29,16 @@ if (array_key_exists('pageid', $this->data)) {
 }
 // - o - o - o - o - o - o - o - o - o - o - o - o -
+/**
+ * Do not allow to frame simpleSAMLphp pages from another location.
+ * This prevents clickjacking attacks in modern browsers.
+ *
+ * If you don't want any framing at all you can even change this to
+ * 'DENY', or comment it out if you actually want to allow foreign
+ * sites to put simpleSAMLphp in a frame. The latter is however
+ * probably not a good security practice.
+ */
+header('X-Frame-Options: SAMEORIGIN');
 ?>
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">