+/** Include required files from SM */
+include_once(SM_PATH . 'functions/imap_mailbox.php');
+
+/**
+ * Output a SquirrelMail page header, from <!doctype> to </head>
+ * Always set up the language before calling these functions.
+ *
+ * Since 1.5.1 function sends http headers. Function should be called
+ * before any output is started.
+ * @param string title the page title, default SquirrelMail.
+ * @param string xtra extra HTML to insert into the header
+ * @param bool do_hook whether to execute hooks, default true
+ * @param bool frames generate html frameset doctype (since 1.5.1)
+ * @param bool $browser_cache_ok When TRUE, it's OK to leave out the
+ * no-cache browser headers (OPTIONAL;
+ * default = FALSE, send no-cache headers)
+ * @return void
+ */
+function displayHtmlHeader( $title = 'SquirrelMail', $xtra = '', $do_hook = TRUE, $frames = FALSE, $browser_cache_ok=FALSE ) {
+ global $squirrelmail_language, $sTemplateID, $oErrorHandler, $oTemplate;
+
+ if ( !sqgetGlobalVar('base_uri', $base_uri, SQ_SESSION) ) {
+ global $base_uri;
+ }
+ global $custom_css, $pageheader_sent, $theme, $theme_default, $text_direction,
+ $default_fontset, $chosen_fontset, $default_fontsize, $chosen_fontsize,
+ $chosen_theme, $chosen_theme_path, $user_themes, $user_theme_default;
+
+ // add no cache headers here
+ //
+ if (!$browser_cache_ok) {
+//FIXME: should change all header() calls in SM core to use $oTemplate->header()!!
+ $oTemplate->header('Pragma: no-cache'); // http 1.0 (rfc1945)
+ $oTemplate->header('Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0'); // http 1.1 (rfc2616)
+ $oTemplate->header('Expires: Sat, 1 Jan 2000 00:00:00 GMT');
+//TODO: is this needed? $oTemplate->header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . 'GMT');
+ }
+ /* prevent information leakage about read emails by forbidding Firefox
+ * to do preemptive DNS requests for any links in the message body. */
+ $oTemplate->header('X-DNS-Prefetch-Control: off');
+
+ // don't show version as a security measure
+ //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
+ $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
+
+ // prevent clickjack attempts
+// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+ $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+ // prevent clickjack attempts using JavaScript for browsers that
+ // don't support the X-Frame-Options header...
+ // we check to see if we are *not* the top page, and if not, check
+ // whether or not the top page is in the same domain as we are...
+ // if not, log out immediately -- this is an attempt to do the same
+ // thing that the X-Frame-Options does using JavaScript (never a good
+ // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+ $header_tags = '<script type="text/javascript" language="JavaScript">'
+ . "\n<!--\n"
+ . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+ . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+ . sqm_baseuri() . 'src/signout.php"; top.location = "'
+ . sqm_baseuri() . 'src/signout.php" } }'
+ . "\n// -->\n</script>\n";