add X-Frame-Options header to protect against clickjacking attacks

[GoogleCodeExporter]

Hi,

Attached patch adds an X-Frame-Options header to simpleSAMLphp pages. In modern 
browsers that support this header, this prevents simpleSAMLphp from being 
included into an HTML frame. Such inclusion is used in clickjacking attacks. 
Especially a security-related application like SSP should protect against that 
when possible.

The header is described here:
https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
I personally would go for the value "DENY", since I think any framing could be 
considered bad security practice as users can not see/check the URL they're 
loading. However, SAMEORIGIN does protect against this on remote sites and it 
may be safe to assume that people are not running untrusted applications on the 
same origin, as they would have more security issues then.

The patch comments the option in the code and those that really want to shoot 
themselves in the foot can easily just comment out one line.

Original issue reported on code.google.com by thijs@kinkhorst.com on 20 Dec 2011 at 3:13

Attachments:

• xfo.patch

[GoogleCodeExporter]

Thanks! Applied as r3004.

Original comment by olavmrk@gmail.com on 21 Dec 2011 at 10:14

• Changed state: Fixed
• Added labels: Type-Enhancement