Currently I have to allow all pages throughout the site using jrCore_disable_xframe or none because of 'X-Frame-Options: SAMEORIGIN' being overridden in jrCore/lib/form.php jrCore_send_response_and_detach()
In my default view function I want to check HTTP_REFERER against the whitelist and set the X-Frame-Options header to allow the page to appear in an iframe.
So would it be possible to allow for a check in jrCore_send_response_and_detach to see if X-Frame-Options have already been set? There is already a check for Content-Type so it would work the same as that.
if ($_tmp && is_array($_tmp)) {
foreach ($_tmp as $header) {
if (stripos($header, 'Content-Length') !== 0) {
header($header);
if (stripos($header, 'Content-Type') === 0) {
$cont = true;
}
if (stripos($header, 'X-Frame-Options') === 0) {
$xframe = true;
}
}
}
}
else {
$_tmp = array();
}
if (!$cont) {
header("Content-Type: text/html; charset=utf-8");
}
if (!isset($_conf['jrCore_disable_xframe']) && !$xframe) {
header('X-Frame-Options: SAMEORIGIN');
}
Thanks!
--
¯\_(ツ)_/¯ Education, learning resources, TEL, AR/VR/MR, CC licensed content, panoramas, interactive narrative, sectional modules (like jrDocs), lunch at Uni of Bristol. Get in touch if you share my current interests or can suggest better :)
updated by @ultrajam: 11/01/18 10:23:31PM
Thank you Brian!
