+ // don't show version as a security measure
+ //$oTemplate->header('X-Powered-By: SquirrelMail/' . SM_VERSION, FALSE);
+ $oTemplate->header('X-Powered-By: SquirrelMail', FALSE);
+
+ // prevent clickjack attempts
+// FIXME: should we use DENY instead? We can also make this a configurable value, including giving the admin the option of removing this entirely in case they WANT to be framed by an external domain
+ $oTemplate->header('X-Frame-Options: SAMEORIGIN');
+
+ // prevent clickjack attempts using JavaScript for browsers that
+ // don't support the X-Frame-Options header...
+ // we check to see if we are *not* the top page, and if not, check
+ // whether or not the top page is in the same domain as we are...
+ // if not, log out immediately -- this is an attempt to do the same
+ // thing that the X-Frame-Options does using JavaScript (never a good
+ // idea to rely on JavaScript-based solutions, though)
+//FIXME: is it a problem that we still force the clickjack protection code whether or not JavaScript is supported or desired by the user?
+ $header_tags = '<script type="text/javascript" language="JavaScript">'
+ . "\n<!--\n"
+ . 'if (self != top) { try { if (document.domain != top.document.domain) {'
+ . ' throw "Clickjacking security violation! Please log out immediately!"; /* this code should never execute - exception should already have been thrown since it\'s a security violation in this case to even try to access top.document.domain (but it\'s left here just to be extra safe) */ } } catch (e) { self.location = "'
+ . sqm_baseuri() . 'src/signout.php"; top.location = "'
+ . sqm_baseuri() . 'src/signout.php" } }'
+ . "\n// -->\n</script>\n";
+
+ $oTemplate->assign('frames', $frames);
+ $oTemplate->assign('lang', $squirrelmail_language);
+
+ $header_tags .= "<meta name=\"robots\" content=\"noindex,nofollow\" />\n";
+
+ $used_fontset = (!empty($chosen_fontset) ? $chosen_fontset : $default_fontset);
+ $used_fontsize = (!empty($chosen_fontsize) ? $chosen_fontsize : $default_fontsize);
+ $used_theme = !isset($chosen_theme) && $user_theme_default != 'none' && is_dir($chosen_theme) && is_readable($chosen_theme)? $user_themes[$user_theme_default]['PATH'].'/default.css' : $chosen_theme_path;
+
+ /**
+ * Stylesheets are loaded in the following order:
+ * 1) All stylesheets provided by the template. Normally, these are
+ * stylsheets in templates/<template>/css/. This is accomplished by calling
+ * $oTemplate->fetch_standard_stylesheet_links().
+ * 2) An optional user-defined stylesheet. This is set in the Display
+ * Preferences.
+ * 3) src/style.php which sets some basic font prefs.
+ * 4) If we are dealing with an RTL language, we load rtl.css from the
+ * template set.