Commit a4305401 authored by Evan Prodromou's avatar Evan Prodromou

configuration option to bust frames or not

parent 64925a27
......@@ -1139,6 +1139,9 @@ ssl: Whether to use SSL for JavaScript files. Default is null, which means
sslserver: SSL server to use when page is HTTPS-encrypted. If
unspecified, site ssl server and so on will be used.
sslpath: If sslserver if defined, path to use when page is HTTPS-encrypted.
bustframes: If true, all web pages will break out of framesets. If false,
can comfortably live in a frame or iframe... probably. Default
to true.
xmpp
----
......
......@@ -298,7 +298,9 @@ class Action extends HTMLOutputter // lawsuit
$this->script('util.min.js');
$this->showScriptMessages();
// Frame-busting code to avoid clickjacking attacks.
$this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
if (common_config('javascript', 'bustframes')) {
$this->inlineScript('if (window.top !== window.self) { window.top.location.href = window.self.location.href; }');
}
Event::handle('EndShowStatusNetScripts', array($this));
Event::handle('EndShowLaconicaScripts', array($this));
}
......
......@@ -154,7 +154,8 @@ $default =
'javascript' =>
array('server' => null,
'path'=> null,
'ssl' => null),
'ssl' => null,
'bustframes' => true),
'local' => // To override path/server for themes in 'local' dir (not currently applied to local plugins)
array('server' => null,
'dir' => null,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment