From 0a00be7cfe1dfcf45da982e584a2f1e51bd0b348 Mon Sep 17 00:00:00 2001
From: AndyButland <abutland73@gmail.com>
Date: Mon, 13 Jun 2016 20:48:37 +0200
Subject: [PATCH] Set fixed value for click-jacking protection to sameorigin
 instead of deny

---
 src/Umbraco.Web.UI/umbraco/config/lang/en.xml                 | 4 ++--
 src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml              | 4 ++--
 .../HealthCheck/Checks/Security/ClickJackingCheck.cs          | 3 ++-
 3 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
index 72a7289121..85d32675f8 100644
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en.xml
@@ -1355,8 +1355,8 @@ To manage your website, simply open the Umbraco back office and start adding con
     <key alias="clickJackingCheckHeaderFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was found.]]></key>
     <key alias="clickJackingCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was not found.]]></key>
     <key alias="clickJackingSetHeaderInConfig">Set Header in Config</key>
-    <key alias="clickJackingSetHeaderInConfigDescription">Added a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed.</key>
-    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site has been added to your web.config file.</key>
+    <key alias="clickJackingSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed by other websites.</key>
+    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site by other websites has been added to your web.config file.</key>
     <key alias="clickJackingSetHeaderInConfigError">Could not update web.config file. Error: %0%</key>
 
     <!-- The following key get these tokens passed in:
diff --git a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
index ebbd08b2c8..a84910988b 100644
--- a/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
+++ b/src/Umbraco.Web.UI/umbraco/config/lang/en_us.xml
@@ -1360,8 +1360,8 @@ To manage your website, simply open the Umbraco back office and start adding con
     <key alias="clickJackingCheckHeaderFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was found.]]></key>
     <key alias="clickJackingCheckHeaderNotFound"><![CDATA[The header or meta-tag <strong>X-Frame-Options</strong> used to control whether a site can be IFRAMed by another was not found.]]></key>
     <key alias="clickJackingSetHeaderInConfig">Set Header in Config</key>
-    <key alias="clickJackingSetHeaderInConfigDescription">Added a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed.</key>
-    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site has been added to your web.config file.</key>
+    <key alias="clickJackingSetHeaderInConfigDescription">Adds a value to the httpProtocol/customHeaders section of web.config to prevent the site being IFRAMed by other websites.</key>
+    <key alias="clickJackingSetHeaderInConfigSuccess">A setting to create a header preventing IFRAMing of the site by other websites has been added to your web.config file.</key>
     <key alias="clickJackingSetHeaderInConfigError">Could not update web.config file. Error: %0%</key>
 
     <!-- The following key get these tokens passed in:
diff --git a/src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs b/src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
index 716d901f4f..2a57b4be0a 100644
--- a/src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
+++ b/src/Umbraco.Web/HealthCheck/Checks/Security/ClickJackingCheck.cs
@@ -23,6 +23,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
         private const string SetFrameOptionsHeaderInConfigActiobn = "setFrameOptionsHeaderInConfig";
 
         private const string XFrameOptionsHeader = "X-Frame-Options";
+        private const string XFrameOptionsValue = "sameorigin"; // Note can't use "deny" as that would prevent Umbraco itself using IFRAMEs
 
         public ClickJackingCheck(HealthCheckContext healthCheckContext) : base(healthCheckContext)
         {
@@ -194,7 +195,7 @@ namespace Umbraco.Web.HealthCheck.Checks.Security
                 {
                     addHeaderElement = new XElement("add");
                     addHeaderElement.Add(new XAttribute("name", XFrameOptionsHeader));
-                    addHeaderElement.Add(new XAttribute("value", "deny"));
+                    addHeaderElement.Add(new XAttribute("value", XFrameOptionsValue));
                     customHeadersElement.Add(addHeaderElement);
                 }