From a923d0046113507392600c4991b94c282fd2681d Mon Sep 17 00:00:00 2001
From: Olav Morken <olav.morken@uninett.no>
Date: Wed, 21 Dec 2011 10:13:58 +0000
Subject: [PATCH] Prevent other sites from loading the login page in an iframe.

This patch adds the X-Frame-Options header to prevent simpleSAMLphp
pages from being used in iframes on third-party sited.

Thanks to Thijs Kinkhorst for adding this!

git-svn-id: https://simplesamlphp.googlecode.com/svn/trunk@3004 44740490-163a-0410-bde0-09ae8108e29a
---
 templates/includes/header.php | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/templates/includes/header.php b/templates/includes/header.php
index 5db1b5c47..ee24a9257 100644
--- a/templates/includes/header.php
+++ b/templates/includes/header.php
@@ -29,8 +29,16 @@ if (array_key_exists('pageid', $this->data)) {
 }
 // - o - o - o - o - o - o - o - o - o - o - o - o -
 
-
-
+/**
+ * Do not allow to frame simpleSAMLphp pages from another location.
+ * This prevents clickjacking attacks in modern browsers.
+ *
+ * If you don't want any framing at all you can even change this to
+ * 'DENY', or comment it out if you actually want to allow foreign
+ * sites to put simpleSAMLphp in a frame. The latter is however
+ * probably not a good security practice.
+ */
+header('X-Frame-Options: SAMEORIGIN');
 
 ?>
 <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
-- 
GitLab