WordPress.org

Make WordPress Core

Changeset 18013


Ignore:
Timestamp:
05/24/11 15:29:12 (7 years ago)
Author:
ryan
Message:

Send X-Frame-Options: SAMEORIGIN for admin and login pages. see #12293

Location:
branches/3.1
Files:
3 edited

Legend:

Unmodified
Added
Removed
  • branches/3.1/wp-includes/default-filters.php

    r17466 r18013  
    219219add_action( 'login_head',          'wp_print_head_scripts',         9     ); 
    220220add_action( 'login_footer',        'wp_print_footer_scripts'              ); 
     221add_action( 'login_init',          'send_frame_options_header',     10, 0 ); 
    221222 
    222223// Feed Generator Tags 
     
    250251add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        ); 
    251252add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            ); 
     253add_action( 'admin_init',                 'send_frame_options_header', 10, 0 ); 
    252254 
    253255// Navigation menu actions 
  • branches/3.1/wp-includes/functions.php

    r17517 r18013  
    44834483} 
    44844484 
     4485/** 
     4486 * Send a HTTP header to limit rendering of pages to same origin iframes. 
     4487 * 
     4488 * @link https://developer.mozilla.org/en/the_x-frame-options_response_header 
     4489 * 
     4490 * @since 3.2.0 
     4491 * @return none 
     4492 */ 
     4493function send_frame_options_header() { 
     4494    @header( 'X-Frame-Options: SAMEORIGIN' ); 
     4495} 
     4496 
    44854497?> 
  • branches/3.1/wp-login.php

    r17466 r18013  
    369369 
    370370// allow plugins to override the default actions, and to add extra actions if they want 
    371 do_action('login_form_' . $action); 
     371do_action( 'login_init' ); 
     372do_action( 'login_form_' . $action ); 
    372373 
    373374$http_post = ('POST' == $_SERVER['REQUEST_METHOD']); 
Note: See TracChangeset for help on using the changeset viewer.