function _seckit_x_frame in Security Kit 7

Same name and namespace in other branches

1. 6 seckit.module \_seckit_x_frame()

Sends X-Frame-Options HTTP header.

X-Frame-Options controls should browser show frames or not. More information can be found at initial article about it at http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickj...

Implementation of X-Frame-Options is based on specification draft availabe at http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01

1 call to _seckit_x_frame()

seckit_init in ./seckit.module

Implements hook_init().

File

./seckit.module, line 567

Allows administrators to improve security of the website.

Code

function _seckit_x_frame($setting) {
  switch ($setting) {
    case SECKIT_X_FRAME_SAMEORIGIN:
      drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');

      // set X-Frame-Options to SAMEORIGIN
      break;
    case SECKIT_X_FRAME_DENY:
      drupal_add_http_header('X-Frame-Options', 'DENY');

      // set X-Frame-Options to DENY
      break;
    case SECKIT_X_FRAME_ALLOW_FROM:
      $options = _seckit_get_options();
      $allowed = $options['seckit_clickjacking']['x_frame_allow_from'];
      if (count($allowed) == 1) {
        $value = array_pop($allowed);
        drupal_add_http_header('X-Frame-Options', "ALLOW-FROM {$value}");
      }

      // If there were multiple values, then seckit_boot() took care of it.
      break;
    case SECKIT_X_FRAME_DISABLE:

      // Make sure Drupal core does not set the header either. See
      // drupal_deliver_html_page().
      $GLOBALS['conf']['x_frame_options'] = '';
      break;
  }
}