[SECURITY] Implement Click Jacking Protection

To protect the backend from click jacking attacks a HTTP header needs to be sent, which prevents embedding backend pages in an iframe on domains different than the one used to access the backend. All recommended browsers respect this header and prevents the backend page to be shown in an iframe, so we do not need to implement further JavaScript frame busting solutions. Resolves: #54201 Documentation: #57144 Releases: 6.2 Change-Id: Ic83cae4917bb62ff8fe8b55a947ace7dba86d223 Reviewed-on: https://review.typo3.org/28601 Reviewed-by: Christian Kuhn Reviewed-by: Markus Klein Tested-by: Markus Klein Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters Reviewed-by: Ernesto Baschny Tested-by: Ernesto Baschny

[SECURITY] Implement Click Jacking Protection
To protect the backend from click jacking attacks a HTTP header needs to be sent, which prevents embedding backend pages in an iframe on domains different than the one used to access the backend. All recommended browsers respect this header and prevents the backend page to be shown in an iframe, so we do not need to implement further JavaScript frame busting solutions. Resolves: #54201 Documentation: #57144 Releases: 6.2 Change-Id: Ic83cae4917bb62ff8fe8b55a947ace7dba86d223 Reviewed-on: https://review.typo3.org/28601 Reviewed-by: Christian Kuhn Reviewed-by: Markus Klein Tested-by: Markus Klein Reviewed-by: Wouter Wolters Tested-by: Wouter Wolters Reviewed-by: Ernesto Baschny Tested-by: Ernesto Baschny
517efee3 · Helmut Hummel · Ernesto Baschny · 915acbde · 517efee3 · 517efee3
Commit 517efee3 authored 11 years ago by Helmut Hummel Committed by Ernesto Baschny 11 years ago
--- a/typo3/init.php
+++ b/typo3/init.php
@@ -74,4 +74,5 @@ require __DIR__ . '/sysext/core/Classes/Core/Bootstrap.php';
 	->initializeLanguageObject()
 	->initializeBackendTemplate()
 	->endOutputBufferingAndCleanPreviousOutput()
-	->initializeOutputCompression();
+	->initializeOutputCompression()
+	->sendHttpHeaders();
--- a/typo3/sysext/core/Classes/Core/Bootstrap.php
+++ b/typo3/sysext/core/Classes/Core/Bootstrap.php
@@ -1064,6 +1064,21 @@ class Bootstrap {
 		return $this;
 	}

+	/**
+	 * Send HTTP headers if configured
+	 *
+	 * @return Bootstrap
+	 * @internal This is not a public API method, do not use in own extensions
+	 */
+	public function sendHttpHeaders() {
+		if (!empty($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers']) && is_array($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'])) {
+			foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] as $header) {
+				header($header);
+			}
+		}
+		return $this;
+	}
+
 	/**
 	 * Things that should be performed to shut down the framework.
 	 * This method is called in all important scripts for a clean

--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -713,6 +713,11 @@ return array(
 				'csrfTokenCheck' => TRUE
 			),
 		),
+		'HTTP' => array(
+			'Response' => array(
+				'Headers' => array('clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN')
+			)
+		),
 		'XCLASS' => array()
 	),
 	'FE' => array( // Configuration for the TypoScript frontend (FE). Nothing here relates to the administration backend!