Commit b480b81a authored by Hugh Davenport's avatar Hugh Davenport
Browse files

Fix Click-Jacking attack on account deletion page



This attack has been mitigated by adding a HTTP header
of X-Frame-Options to every page in Mahara.

Bug #1057240
CVE-2012-2246

Change-Id: Ia15bb43c83054ffa5540d71fcc932266b92d288f
Signed-off-by: default avatarHugh Davenport <hugh@catalyst.net.nz>
parent f964a327
......@@ -46,6 +46,9 @@ header('Cache-Control: private, must-revalidate, pre-check=0, post-check=0, max-
header('Expires: '. gmdate('D, d M Y H:i:s', 507686400) .' GMT');
header('Pragma: no-cache');
// Prevent clickjacking through iframe tags
header('X-Frame-Options: SAMEORIGIN');
// Set up error handling
require('errors.php');
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment