Last active
June 6, 2017 14:15
-
-
Save mattwatsoncodes/ebe94e9cd069e681ec181d20034e2a8b to your computer and use it in GitHub Desktop.
Clickjack protection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Clickjacking protection | |
| * | |
| * Add header to stop site loading in an iFrame. | |
| **/ | |
| function mwtsn_example_send_headers() { | |
| header( 'X-FRAME-OPTIONS: SAMEORIGIN' ); | |
| } | |
| add_action( 'send_headers', 'mwtsn_example_send_headers', 10 ); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <?php | |
| /** | |
| * Clickjacking projection for old browsers | |
| * | |
| * Header not supported by older browsers, use JS fallback. | |
| **/ | |
| function mwtsn_example_wp_enqueue_scripts() { | |
| $script_url = plugins_url( 'js/clickjack-protection.js', __FILE__ ); | |
| wp_enqueue_script( | |
| 'clickjack-protection-js', | |
| $script_url, | |
| array( 'jquery' ), | |
| '', | |
| true | |
| ); | |
| // Clickjack headers not supported below IE8. | |
| wp_script_add_data( 'clickjack-protection-js', 'conditional', 'lt IE 8' ); | |
| } | |
| add_action( 'wp_enqueue_scripts', 'mwtsn_example_wp_enqueue_scripts, 10 ); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /** | |
| * The HTTP header X-Frame-Options: SAMEORIGIN should be set. | |
| * | |
| * Older browsers do not support the X-Frame-Options header, so the following | |
| * JavaScript will act as a workaround. | |
| */ | |
| try { top.document.domain } catch (e) { | |
| var f = function() { | |
| document.body.innerHTML = ''; | |
| }; | |
| setInterval( f, 1 ); | |
| if ( document.body ) { | |
| document.body.onload = f; | |
| }; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment