Fixes #2701

* Iframe busting ALL pages except widgets/dashboard * Refactored iframe busting code * This new behavior might break some backward compatibility but can be disabled by setting enable_framed_pages = 1 in the config file @vipsoft your review is welcome on this one! git-svn-id: http://dev.piwik.org/svn/trunk@5805 59fd770c-687e-43c8-a1e3-f5a4ff64c105

Fixes #2701
ae8e02dc · mattpiwik · 7f079373 · ae8e02dc · ae8e02dc · ae8e02dc
--- a/config/global.ini.php
+++ b/config/global.ini.php
@@ -188,6 +188,10 @@ enable_framed_logins = 0
 ; Default is 0 (i.e., bust frames on the Settings forms).
 enable_framed_settings = 0
+; Set to 1 to disable the framebuster on standard Non-widgets pages (a click-jacking countermeasure).
+; Default is 0 (i.e., bust frames on all non Widget pages such as API, Widgets, Email reports, etc.).
+enable_framed_pages = 0
 ; language cookie name for session
 language_cookie_name = piwik_lang

--- a/core/Controller.php
+++ b/core/Controller.php
@@ -468,6 +468,12 @@ abstract class Piwik_Controller
 		$view->logoHeader = Piwik_API_API::getInstance()->getHeaderLogoUrl();
 		$view->logoLarge = Piwik_API_API::getInstance()->getLogoUrl();
 		$view->piwikUrl = Piwik::getPiwikUrl();
+		$view->enableFrames = Zend_Registry::get('config')->General->enable_framed_pages;
+		if(!$view->enableFrames)
+		{
+			$view->setXFrameOptions('sameorigin');
+		}
 	}
 	/**

--- a/plugins/CoreAdminHome/templates/header.tpl
+++ b/plugins/CoreAdminHome/templates/header.tpl
@@ -14,25 +14,11 @@
 <!--[if IE]>
 <link rel="stylesheet" type="text/css" href="themes/default/ieonly.css" />
 <![endif]-->
-{if isset($enableFrames) && !$enableFrames}
+{include file="CoreHome/templates/iframe_buster_header.tpl"}
-{literal}
-	<style type="text/css">body { display : none; }</style>
-{/literal}
-{/if}
 </head>
 <body>
-{if isset($enableFrames) && !$enableFrames}
-{literal}
+{include file="CoreHome/templates/iframe_buster_body.tpl"}
-	<script type="text/javascript">
-		if(self == top) {
-			var theBody = document.getElementsByTagName('body')[0];
-			theBody.style.display = 'block';
-		} else {
-			top.location = self.location;
-		}
-	</script>
-{/literal}
-{/if}
 <div id="root">
 {if !isset($showTopMenu) || $showTopMenu}
 {include file="CoreHome/templates/top_bar.tpl"}

--- a/plugins/CoreHome/templates/header.tpl
+++ b/plugins/CoreHome/templates/header.tpl
@@ -16,8 +16,10 @@
 <!--[if IE]>
 <link rel="stylesheet" type="text/css" href="themes/default/ieonly.css" />
 <![endif]-->
+{include file="CoreHome/templates/iframe_buster_header.tpl"}
 </head>
 <body>
+{include file="CoreHome/templates/iframe_buster_body.tpl"}
 <div id="root">{if !isset($showTopMenu) || $showTopMenu}
 {include file="CoreHome/templates/top_bar.tpl"}
 {/if}
@@ -26,4 +28,4 @@
 <div class="ui-confirm" id="alert">
    <h2></h2>
    <input id="yes" type="button" value="{'General_Ok'|translate}" />
 </div>
\ No newline at end of file
--- a/plugins/CoreHome/templates/iframe_buster_body.tpl
+++ b/plugins/CoreHome/templates/iframe_buster_body.tpl
+{if isset($enableFrames) && !$enableFrames}
+{literal}
+	<script type="text/javascript">
+		if(self == top) {
+			var theBody = document.getElementsByTagName('body')[0];
+			theBody.style.display = 'block';
+		} else {
+			top.location = self.location;
+		}
+	</script>
+{/literal}
+{/if}
--- a/plugins/CoreHome/templates/iframe_buster_header.tpl
+++ b/plugins/CoreHome/templates/iframe_buster_header.tpl
+{if isset($enableFrames) && !$enableFrames}
+{literal}
+	<style type="text/css">body { display : none; }</style>
+{/literal}
+{/if}
\ No newline at end of file
--- a/plugins/Login/templates/header.tpl
+++ b/plugins/Login/templates/header.tpl
@@ -8,11 +8,8 @@
 	<link rel="stylesheet" type="text/css" href="plugins/Login/templates/login.css" />
 	<meta name="description" content="{'General_OpenSourceWebAnalytics'|translate|escape}" />
-{if isset($enableFrames) && !$enableFrames}
-{literal}
-	<style type="text/css">body { display : none; }</style>
-{/literal}
-{/if}
 {if isset($forceSslLogin) && $forceSslLogin}
 {literal}
 	<script type="text/javascript">
@@ -40,20 +37,10 @@
 {if 'General_LayoutDirection'|translate =='rtl'}
 <link rel="stylesheet" type="text/css" href="themes/default/rtl.css" />
 {/if}
+{include file="CoreHome/templates/iframe_buster_header.tpl"}
 </head>
 <body class="login">
-{if isset($enableFrames) && !$enableFrames}
+{include file="CoreHome/templates/iframe_buster_body.tpl"}
-{literal}
-	<script type="text/javascript">
-		if(self == top) {
-			var theBody = document.getElementsByTagName('body')[0];
-			theBody.style.display = 'block';
-		} else {
-			top.location = self.location;
-		}
-	</script>
-{/literal}
-{/if}
 {include file="default/ie6.tpl"}
 	<div id="logo">
 	{if !$isCustomLogo}<a href="http://piwik.org" alt="Piwik" title="{$linkTitle}">{/if}