1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Fixed Clickjacking protection enabled/disabled reversed?

Discussion in 'Resolved Bug Reports' started by AlexT, Jul 10, 2013.

  1. AlexT

    AlexT Well-Known Member

    xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

    But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

    if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
       $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
    Last edited: Jul 10, 2013
    Walter and brendanc like this.
  2. brendanc

    brendanc Active Member

    Maybe this is a fallback? Are you certain this is the only place the header for the clickjacking fix is sent?
  3. AlexT

    AlexT Well-Known Member

    I think so. It's the only place where the enableClickjackingProtection boolean is checked.
  4. Mike

    Mike XenForo Developer Staff Member

    Indeed. Wonder how that happened...
    SneakyDave, tyteen4a03 and AlexT like this.
  5. tyteen4a03

    tyteen4a03 Well-Known Member

    Clickjacking the config entry has been here since 1.1.
  6. AlexT

    AlexT Well-Known Member

    That's correct. When I made the comparison above, I looked at 1.1.4. But the option is there only since 1.1.5.

Share This Page