From: Mischa POSLAWSKY <perl@shiar.org>
Date: Sat, 16 May 2020 22:17:23 +0000 (+0200)
Subject: page: disallow frame ancestors to prevent clickjacking
X-Git-Tag: v4.4~9
X-Git-Url: http://git.shiar.nl/minimedit.git/commitdiff_plain/63c023f45bfa532dcc54b292906c150c10331e9e

page: disallow frame ancestors to prevent clickjacking

Security policy recommended by Dareboost, to stop potential malicious page
embedding.  Support should be decent (enough), so do not bother with an
equivalent X-Frame-Options directive for compatibility.
---

diff --git a/page.php b/page.php
index 12e0690..3dd8cba 100644
--- a/page.php
+++ b/page.php
@@ -159,6 +159,8 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
+header("Content-Security-Policy: frame-ancestors 'none'");
+
 ob_start(); # page body
 $Place = [
 	'user'  => $User ? $User->login : '',