From 8f93926e1bc6e96fc11b4d0d201025022d471de7 Mon Sep 17 00:00:00 2001
From: Pierre Schmitz <pierre@archlinux.de>
Date: Tue, 4 Jan 2011 12:24:29 +0100
Subject: update to MediaWiki 1.16.1

---
 includes/OutputPage.php | 43 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)

(limited to 'includes/OutputPage.php')

diff --git a/includes/OutputPage.php b/includes/OutputPage.php
index 4333383c..97e26110 100644
--- a/includes/OutputPage.php
+++ b/includes/OutputPage.php
@@ -37,6 +37,7 @@ class OutputPage {
 	var $mPageTitleActionText = '';
 	var $mParseWarnings = array();
 	var $mSquidMaxage = 0;
+	var $mPreventClickjacking = true;
 	var $mRevisionId = null;
 	protected $mTitle = null;
 
@@ -1347,6 +1348,41 @@ class OutputPage {
 		}
 	}
 
+	/**
+	 * Set a flag which will cause an X-Frame-Options header appropriate for 
+	 * edit pages to be sent. The header value is controlled by 
+	 * $wgEditPageFrameOptions.
+	 *
+	 * This is the default for special pages. If you display a CSRF-protected 
+	 * form on an ordinary view page, then you need to call this function.
+	 */
+	public function preventClickjacking( $enable = true ) {
+		$this->mPreventClickjacking = $enable;
+	}
+
+	/**
+	 * Turn off frame-breaking. Alias for $this->preventClickjacking(false).
+	 * This can be called from pages which do not contain any CSRF-protected
+	 * HTML form.
+	 */
+	public function allowClickjacking() {
+		$this->mPreventClickjacking = false;
+	}
+
+	/**
+	 * Get the X-Frame-Options header value (without the name part), or false 
+	 * if there isn't one. This is used by Skin to determine whether to enable 
+	 * JavaScript frame-breaking, for clients that don't support X-Frame-Options.
+	 */
+	public function getFrameOptions() {
+		global $wgBreakFrames, $wgEditPageFrameOptions;
+		if ( $wgBreakFrames ) {
+			return 'DENY';
+		} elseif ( $this->mPreventClickjacking && $wgEditPageFrameOptions ) {
+			return $wgEditPageFrameOptions;
+		}
+	}
+
 	/**
 	 * Send cache control HTTP headers
 	 */
@@ -1561,6 +1597,13 @@ class OutputPage {
 		$wgRequest->response()->header( "Content-type: $wgMimeType; charset={$wgOutputEncoding}" );
 		$wgRequest->response()->header( 'Content-language: '.$wgContLanguageCode );
 
+		// Prevent framing, if requested
+		$frameOptions = $this->getFrameOptions();
+		if ( $frameOptions ) {
+			$wgRequest->response()->header( "X-Frame-Options: $frameOptions" );
+		}
+
+
 		if ($this->mArticleBodyOnly) {
 			$this->out($this->mBodytext);
 		} else {
-- 
cgit v1.2.3-54-g00ecf