Fixed Clickjacking protection enabled/disabled reversed?

AlexT

Well-known member
xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

Code:
if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}
(/library/XenForo/ViewRenderer/Abstract.php)
 
Last edited:
Maybe this is a fallback? Are you certain this is the only place the header for the clickjacking fix is sent?
 
xF 1.2 adds the $config['enableClickjackingProtection'] configuration. More on clickjacking can be read here. By default, enableClickjackingProtection is set to true in xF, meaning that it is enabled (I'd guess).

But if you look at this code, you'll notice that in fact if enableClickjackingProtection is set to false (and not true), xF will send the extra header meant to defeat clickjacking:

Code:
if (!XenForo_Application::isRegistered('config') || !XenForo_Application::getConfig()->enableClickjackingProtection)
{
   $this->_response->setHeader('X-Frame-Options', 'SAMEORIGIN');
}
(/library/XenForo/ViewRenderer/Abstract.php)
Clickjacking the config entry has been here since 1.1.
 
Top Bottom