diff --git a/includes/core/class-access.php b/includes/core/class-access.php index 765fc357..60463bf9 100644 --- a/includes/core/class-access.php +++ b/includes/core/class-access.php @@ -76,6 +76,7 @@ if ( ! class_exists( 'um\core\Access' ) ) { // check the site's accessible more priority have Individual Post/Term Restriction settings add_action( 'template_redirect', array( &$this, 'template_redirect' ), 1000 ); + add_action( 'template_redirect', array( &$this, 'send_frame_options_header' ), 1010 ); add_action( 'um_access_check_blog_page_settings', array( &$this, 'um_access_check_blog_page_settings' ) ); add_action( 'um_access_check_individual_term_settings', array( &$this, 'um_access_check_individual_term_settings' ) ); add_action( 'um_access_check_global_settings', array( &$this, 'um_access_check_global_settings' ) ); @@ -1795,6 +1796,23 @@ if ( ! class_exists( 'um\core\Access' ) ) { } + /** + * Sends a HTTP header to limit rendering of pages to same origin iframes when loading sensitive pages. + * + * Can be disabled with: remove_action( 'template_redirect', array( UM()->access(), 'send_frame_options_header' ), 1010 ); + * + * @since 2.8.0 + */ + public function send_frame_options_header() { + if ( um_is_core_page( 'account' ) + || um_is_core_page( 'login' ) + || um_is_core_page( 'password-reset' ) + || um_is_core_page( 'register' ) ) { + send_frame_options_header(); + } + } + + /** * Sets a custom access referer in a redirect URL *