Fixed Clickjacking protection enabled/disabled reversed?

[AlexT]

xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}

(/library/XenForo/ViewRenderer/Abstract.php)

 

[Deleted member 2163]

Maybe this is a fallback? Are you certain this is the only place the header for the clickjacking fix is sent?

 

[AlexT]

Maybe this is a fallback? Are you certain this is the only place the header for the clickjacking fix is sent?

I think so. It's the only place where the enableClickjackingProtection boolean is checked.

 

[Mike]

Indeed. Wonder how that happened...

 

[tyteen4a03]

xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}

(/library/XenForo/ViewRenderer/Abstract.php)

Clickjacking the config entry has been here since 1.1.

 

[AlexT]

Clickjacking the config entry has been here since 1.1.

That's correct. When I made the comparison above, I looked at 1.1.4. But the option is there only since 1.1.5.