Changeset 17826

Timestamp:

05/06/2011 09:28:53 PM (14 years ago)

Author:

ryan

Message:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

Location:

trunk

Files:

• wp-includes/default-filters.php (modified) (2 diffs)
• wp-includes/functions.php (modified) (1 diff)
• wp-login.php (modified) (1 diff)

trunk/wp-includes/default-filters.php

@@ -216 +216 @@
 add_action( 'login_head',          'wp_print_head_scripts',         9     );
 add_action( 'login_footer',        'wp_print_footer_scripts'              );
+add_action( 'login_form',          'send_frame_options_header',     10, 0 );
 
 // Feed Generator Tags
@@ -249 +250 @@
 add_action( 'before_wp_tiny_mce',         'wp_print_editor_js'             );
 add_action( 'after_wp_tiny_mce',          'wp_preload_dialogs',      10, 1 );
+add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
 
 // Navigation menu actions

trunk/wp-includes/functions.php

@@ -4535 +4535 @@
 }
 
+/**
+ * Send a HTTP header to limit rendering of pages to same origin iframes.
+ *
+ * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
+ *
+ * @since 3.2.0
+ * @return none
+ */
+function send_frame_options_header() {
+    @header( 'X-Frame-Options: SAMEORIGIN' );
+}
+
 ?>

trunk/wp-login.php

@@ -369 +369 @@
 
 // allow plugins to override the default actions, and to add extra actions if they want
-do_action('login_form_' . $action);
+do_action( 'login_form' );
+do_action( 'login_form_' . $action );
 
 $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);