[SECURITY] Implement Click Jacking Protection 01/28601/3
authorHelmut Hummel <helmut.hummel@typo3.org>
Fri, 21 Mar 2014 11:54:13 +0000 (12:54 +0100)
committerErnesto Baschny <ernst@cron-it.de>
Fri, 21 Mar 2014 18:15:26 +0000 (19:15 +0100)
To protect the backend from click jacking attacks
a HTTP header needs to be sent, which prevents
embedding backend pages in an iframe on domains
different than the one used to access the backend.

All recommended browsers respect this header
and prevents the backend page to be shown in an
iframe, so we do not need to implement further
JavaScript frame busting solutions.

Resolves: #54201
Documentation: #57144
Releases: 6.2
Change-Id: Ic83cae4917bb62ff8fe8b55a947ace7dba86d223
Reviewed-on: https://review.typo3.org/28601
Reviewed-by: Christian Kuhn
Reviewed-by: Markus Klein
Tested-by: Markus Klein
Reviewed-by: Wouter Wolters
Tested-by: Wouter Wolters
Reviewed-by: Ernesto Baschny
Tested-by: Ernesto Baschny
typo3/init.php
typo3/sysext/core/Classes/Core/Bootstrap.php
typo3/sysext/core/Configuration/DefaultConfiguration.php

index a9d74b5..bce02b5 100644 (file)
@@ -74,4 +74,5 @@ require __DIR__ . '/sysext/core/Classes/Core/Bootstrap.php';
        ->initializeLanguageObject()
        ->initializeBackendTemplate()
        ->endOutputBufferingAndCleanPreviousOutput()
-       ->initializeOutputCompression();
+       ->initializeOutputCompression()
+       ->sendHttpHeaders();
index 0b22dd3..1845073 100644 (file)
@@ -1065,6 +1065,21 @@ class Bootstrap {
        }
 
        /**
+        * Send HTTP headers if configured
+        *
+        * @return Bootstrap
+        * @internal This is not a public API method, do not use in own extensions
+        */
+       public function sendHttpHeaders() {
+               if (!empty($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers']) && is_array($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'])) {
+                       foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] as $header) {
+                               header($header);
+                       }
+               }
+               return $this;
+       }
+
+       /**
         * Things that should be performed to shut down the framework.
         * This method is called in all important scripts for a clean
         * shut down of the system.
index f02868e..05bc41f 100644 (file)
@@ -713,6 +713,11 @@ return array(
                                'csrfTokenCheck' => TRUE
                        ),
                ),
+               'HTTP' => array(
+                       'Response' => array(
+                               'Headers' => array('clickJackingProtection' => 'X-Frame-Options: SAMEORIGIN')
+                       )
+               ),
                'XCLASS' => array()
        ),
        'FE' => array( // Configuration for the TypoScript frontend (FE). Nothing here relates to the administration backend!