From 517efee327b8fc4f0203bd437eca90bdbaf5d05d Mon Sep 17 00:00:00 2001
From: Helmut Hummel <helmut.hummel@typo3.org>
Date: Fri, 21 Mar 2014 12:54:13 +0100
Subject: [PATCH] [SECURITY] Implement Click Jacking Protection

To protect the backend from click jacking attacks
a HTTP header needs to be sent, which prevents
embedding backend pages in an iframe on domains
different than the one used to access the backend.

All recommended browsers respect this header
and prevents the backend page to be shown in an
iframe, so we do not need to implement further
JavaScript frame busting solutions.

Resolves: #54201
Documentation: #57144
Releases: 6.2
Change-Id: Ic83cae4917bb62ff8fe8b55a947ace7dba86d223
Reviewed-on: https://review.typo3.org/28601
Reviewed-by: Christian Kuhn
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
---
 typo3/init.php                                    |  3 ++-
 typo3/sysext/core/Classes/Core/Bootstrap.php      | 15 +++++++++++++++
 .../core/Configuration/DefaultConfiguration.php   |  5 +++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/typo3/init.php b/typo3/init.php
index a9d74b5c7e2b..bce02b5ccd97 100644
--- a/typo3/init.php
+++ b/typo3/init.php
@@ -74,4 +74,5 @@ require __DIR__ . '/sysext/core/Classes/Core/Bootstrap.php';
 	->initializeLanguageObject()
 	->initializeBackendTemplate()
 	->endOutputBufferingAndCleanPreviousOutput()
-	->initializeOutputCompression();
+	->initializeOutputCompression()
+	->sendHttpHeaders();
diff --git a/typo3/sysext/core/Classes/Core/Bootstrap.php b/typo3/sysext/core/Classes/Core/Bootstrap.php
index 0b22dd3b1aab..184507377102 100644
--- a/typo3/sysext/core/Classes/Core/Bootstrap.php
+++ b/typo3/sysext/core/Classes/Core/Bootstrap.php
@@ -1064,6 +1064,21 @@ class Bootstrap {
 		return $this;
 	}
 
+	/**
+	 * Send HTTP headers if configured
+	 *
+	 * @return Bootstrap
+	 * @internal This is not a public API method, do not use in own extensions
+	 */
+	public function sendHttpHeaders() {
+		if (!empty($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers']) && is_array($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'])) {
+			foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] as $header) {
+				header($header);
+			}
+		}
+		return $this;
+	}
+
 	/**
 	 * Things that should be performed to shut down the framework.
 	 * This method is called in all important scripts for a clean
diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index f02868e06eb2..05bc41f32776 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -713,6 +713,11 @@ return array(
 				'csrfTokenCheck' => TRUE
 			),
 		),
+		'HTTP' => array(
+			'Response' => array(
+				'Headers' => array('clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN')
+			)
+		),
 		'XCLASS' => array()
 	),
 	'FE' => array( // Configuration for the TypoScript frontend (FE). Nothing here relates to the administration backend!
-- 
GitLab