From c9c81ee7156fc47d834317644baa25cec7cf16e4 Mon Sep 17 00:00:00 2001
From: Reed Loden <reed@reedloden.com>
Date: Sat, 18 Dec 2010 00:40:24 -0800
Subject: Bug 475894 - Send the 'X-Frame-Options: SAMEORIGIN' header to help
 protect against clickjacking. [r=mkanat a=mkanat]

---
 Bugzilla/CGI.pm | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Bugzilla')

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index b32f76ae0..7c42d6f63 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -287,6 +287,12 @@ sub header {
         unshift(@_, '-strict_transport_security' => $sts_opts);
     }
 
+    # Add X-Frame-Options header to prevent framing and subsequent
+    # possible clickjacking problems.
+    unless ($self->url_is_attachment_base) {
+        unshift(@_, '-x_frame_options' => 'SAMEORIGIN');
+    }
+
     return $self->SUPER::header(@_) || "";
 }
 
-- 
cgit v1.2.3-24-g4f1b