Commit ebf0ee3b authored by David Norman's avatar David Norman
Browse files

Issue #2314057 by deekayen: Fixed Breakages of file upload AJAX. 

Separate CSS/JS from the HTTP headers and disable the CSS/JS solution by default.
parent 73ec95bb

frameprevention.module

+11 −15
Original line number Diff line number Diff line
@@ -29,13 +29,13 @@ function frameprevention_permission() { 
 * Implements hook_init().

 */

function frameprevention_init() {

  if (variable_get('frameprevention_enabled', 0)) {

  if (!frameprevention_check()) {

    $x_frame = variable_get('frameprevention_x_frame_options', 'SAMEORIGIN');

    if ($x_frame == 'SAMEORIGIN' || $x_frame == 'DENY') {

      drupal_add_http_header('X-Frame-Options', $x_frame);

    }



    if (variable_get('frameprevention_enabled', 0)) {

      $inline_script = <<<EOL

<style id="antiClickjack">body{display:none !important;}</style>

<script type="text/javascript">
@@ -86,17 +86,13 @@ function frameprevention_menu() { 
function frameprevention_admin_settings() {

  $form = array();



  $form['fp'] = array(

    '#type' => 'fieldset',

    '#title' => t('Prevent your site from being framed'),

    '#tree' => FALSE,

  );

  $form['fp']['frameprevention_enabled'] = array(

  $form['frameprevention_enabled'] = array(

    '#type' => 'checkbox',

    '#title' => t('Enable Frameprevention'),

    '#title' => t('Enable CSS and Javascript-based frame-breaker'),

    '#default_value' => variable_get('frameprevention_enabled', 0),

    '#description' => t('Based on recommended frame-breaking code from the !link. Having Javascript enabled on client web browsers will become a requirement when this is enabled, otherwise no content will display.', array('!link' => l(t('OWASP Clickjacking Defense Cheat Sheet'), 'https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet'))),

  );

  $form['fp']['frameprevention_x_frame_options'] = array(

  $form['frameprevention_x_frame_options'] = array(

    '#title' => t('X-Frame-Options HTTP response header'),

    '#type' => 'select',

    '#options' => array(
@@ -107,7 +103,7 @@ function frameprevention_admin_settings() { 
    '#description' => t('DENY prevents any domain from framing the content. SAMEORIGIN allows the current site to frame the content.'),

    '#default_value' => variable_get('frameprevention_x_frame_options', 'SAMEORIGIN'),

  );

  $form['fp']['frameprevention_pages'] = array(

  $form['frameprevention_pages'] = array(

    '#type' => 'textarea',

    '#title' => t('Pages to ignore'),

    '#default_value' => variable_get('frameprevention_pages', "img_assist/*\nfile/ajax/*"),