• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Clickjacking protection enabled/disabled reversed?

AlexT

Well-known member
#1
xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

Code:
if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}
(/library/XenForo/ViewRenderer/Abstract.php)
 
Last edited:

tyteen4a03

Well-known member
#5
xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

Code:
if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}
(/library/XenForo/ViewRenderer/Abstract.php)
Clickjacking the config entry has been here since 1.1.