Make WordPress Core

Changeset 18013


Ignore:
Timestamp:
05/24/2011 03:29:12 PM (13 years ago)
Author:
ryan
Message:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

Location:
branches/3.1
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.1/wp-includes/default-filters.php

    r17466 r18013  
    219219add_action( 'login_head',          'wp_print_head_scripts',         9     );
    220220add_action( 'login_footer',        'wp_print_footer_scripts'              );
     221add_action( 'login_init',          'send_frame_options_header',     10, 0 );
    221222
    222223// Feed Generator Tags
     
    250251add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
    251252add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
     253add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
    252254
    253255// Navigation menu actions
  • branches/3.1/wp-includes/functions.php

    r17517 r18013  
    44834483}
    44844484
     4485/**
     4486 * Send a HTTP header to limit rendering of pages to same origin iframes.
     4487 *
     4488 * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
     4489 *
     4490 * @since 3.2.0
     4491 * @return none
     4492 */
     4493function send_frame_options_header() {
     4494    @header( 'X-Frame-Options: SAMEORIGIN' );
     4495}
     4496
    44854497?>
  • branches/3.1/wp-login.php

    r17466 r18013  
    369369
    370370// allow plugins to override the default actions, and to add extra actions if they want
    371 do_action('login_form_' . $action);
     371do_action( 'login_init' );
     372do_action( 'login_form_' . $action );
    372373
    373374$http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
Note: See TracChangeset for help on using the changeset viewer.