Make WordPress Core

Changeset 17826


Ignore:
Timestamp:
05/06/2011 09:28:53 PM (14 years ago)
Author:
ryan
Message:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

Location:
trunk
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • trunk/wp-includes/default-filters.php

    r17785 r17826  
    216216add_action( 'login_head',          'wp_print_head_scripts',         9     );
    217217add_action( 'login_footer',        'wp_print_footer_scripts'              );
     218add_action( 'login_form',          'send_frame_options_header',     10, 0 );
    218219
    219220// Feed Generator Tags
     
    249250add_action( 'before_wp_tiny_mce',         'wp_print_editor_js'             );
    250251add_action( 'after_wp_tiny_mce',          'wp_preload_dialogs',      10, 1 );
     252add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
    251253
    252254// Navigation menu actions
  • trunk/wp-includes/functions.php

    r17779 r17826  
    45354535}
    45364536
     4537/**
     4538 * Send a HTTP header to limit rendering of pages to same origin iframes.
     4539 *
     4540 * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
     4541 *
     4542 * @since 3.2.0
     4543 * @return none
     4544 */
     4545function send_frame_options_header() {
     4546    @header( 'X-Frame-Options: SAMEORIGIN' );
     4547}
     4548
    45374549?>
  • trunk/wp-login.php

    r17465 r17826  
    369369
    370370// allow plugins to override the default actions, and to add extra actions if they want
    371 do_action('login_form_' . $action);
     371do_action( 'login_form' );
     372do_action( 'login_form_' . $action );
    372373
    373374$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
Note: See TracChangeset for help on using the changeset viewer.