From 635e7cdd2d488125fd41a032a5c4cb0ec47d2c15 Mon Sep 17 00:00:00 2001
From: ryan <ryan@1a063a9b-81f0-0310-95a4-ce76da25c4cd>
Date: Tue, 24 May 2011 15:29:12 +0000
Subject: [PATCH] Send X-Frame-Options: SAMEORIGIN for admin and login pages.
 see #12293

git-svn-id: http://svn.automattic.com/wordpress/branches/3.1@18013 1a063a9b-81f0-0310-95a4-ce76da25c4cd
---
 wp-includes/default-filters.php |  2 ++
 wp-includes/functions.php       | 12 ++++++++++++
 wp-login.php                    |  3 ++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/wp-includes/default-filters.php b/wp-includes/default-filters.php
index 4822e2ead0..e3e5dfba12 100644
--- a/wp-includes/default-filters.php
+++ b/wp-includes/default-filters.php
@@ -218,6 +218,7 @@ add_action( 'template_redirect',   'wp_shortlink_header',           11, 0 );
 // Login actions
 add_action( 'login_head',          'wp_print_head_scripts',         9     );
 add_action( 'login_footer',        'wp_print_footer_scripts'              );
+add_action( 'login_init',          'send_frame_options_header',     10, 0 );
 
 // Feed Generator Tags
 foreach ( array( 'rss2_head', 'commentsrss2_head', 'rss_head', 'rdf_header', 'atom_head', 'comments_atom_head', 'opml_head', 'app_head' ) as $action ) {
@@ -249,6 +250,7 @@ add_action( 'save_post',                  '_save_post_hook',          5, 2 );
 add_action( 'transition_post_status',     '_transition_post_status',  5, 3 );
 add_action( 'comment_form', 'wp_comment_form_unfiltered_html_nonce'        );
 add_action( 'wp_scheduled_delete',        'wp_scheduled_delete'            );
+add_action( 'admin_init',                 'send_frame_options_header', 10, 0 );
 
 // Navigation menu actions
 add_action( 'delete_post',                '_wp_delete_post_menu_item'      );
diff --git a/wp-includes/functions.php b/wp-includes/functions.php
index 72843130a8..d5920de083 100644
--- a/wp-includes/functions.php
+++ b/wp-includes/functions.php
@@ -4482,4 +4482,16 @@ function wp_find_hierarchy_loop_tortoise_hare( $callback, $start, $override = ar
 	return false;
 }
 
+/**
+ * Send a HTTP header to limit rendering of pages to same origin iframes.
+ *
+ * @link https://developer.mozilla.org/en/the_x-frame-options_response_header
+ *
+ * @since 3.2.0
+ * @return none
+ */
+function send_frame_options_header() {
+	@header( 'X-Frame-Options: SAMEORIGIN' );
+}
+
 ?>
diff --git a/wp-login.php b/wp-login.php
index ab9cff5580..0f471b0d7b 100644
--- a/wp-login.php
+++ b/wp-login.php
@@ -368,7 +368,8 @@ if ( SITECOOKIEPATH != COOKIEPATH )
 	setcookie(TEST_COOKIE, 'WP Cookie check', 0, SITECOOKIEPATH, COOKIE_DOMAIN);
 
 // allow plugins to override the default actions, and to add extra actions if they want
-do_action('login_form_' . $action);
+do_action( 'login_init' );
+do_action( 'login_form_' . $action );
 
 $http_post = ('POST' == $_SERVER['REQUEST_METHOD']);
 switch ($action) {