From 62b3d204b2fa0e719ba6d9ecad1371d670aa5a1e Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 8 Apr 2016 10:03:24 +0100
Subject: [PATCH] Bug 16210: Revert OPAC changes from Bug 15111
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

This patch reverts the changes made at the OPAC from the following
patches:

Do not include the antiClickjack legacy browser trick for greybox"

Revert "Bug 15111: Do not include the antiClickjack legacy browser trick for greybox"
This reverts commit fc640d2a86f395ad392f84314bce22e8b4dab1fe.

Revert "Bug 15111: Change X-Frame-Options with SAMEORIGIN"
This reverts commit fb167c0e4b897bf9a93b4fd6176b15e2d4dbd4df.

Revert "Bug 15111 - Koha is vulnerable to Cross-Frame Scripting (XFS) attacks"
This reverts commit dc03bca76cf5b7cb48d98d1ce245fc65b98be929.

Setting X-Frame-Options to SAMEORIGIN is enough for mordern browsers:
https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options

The antiClickjack trick should be removed at the OPAC as we want to keep
the OPAC usable even if the user has disabled JS.
That means the OPAC will be vulnerable to XFS if a user is navigating
with a prehistoric browser:
Firefox 3.6.9 September 2010
IE 8    March 2008
Opera 10.5  March 2010
Safari 4  February 2009
Chrome 4.1.â¦  somewhen 2010

Test plan:
Confirm that there are no regression of bug 15111 with modern browsers

Signed-off-by: Marc VÃ©ron <veron@veron.ch>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Brendan Gallagher <bredan@bywatersolutions.com>
(cherry picked from commit d496d03e8aa3079e0d29837b27b31b9a55afd02e)
Signed-off-by: Julian Maurice <julian.maurice@biblibre.com>
(cherry picked from commit 57fc49475db35b965ea50e5b60114fa46b2be37f)
Signed-off-by: FrÃ©dÃ©ric Demians <f.demians@tamil.fr>
---
 .../bootstrap/en/includes/doc-head-close.inc       |   14 --------------
 .../opac-tmpl/bootstrap/en/modules/opac-idref.tt   |    2 +-
 2 files changed, 1 insertions(+), 15 deletions(-)
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc b/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
index 72e6ab8..bce0da2 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/includes/doc-head-close.inc
@@ -1,20 +1,6 @@
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Koha [% Version %]" /> <!-- leave this for stats -->
 <meta name="viewport" content="width=device-width, initial-scale=1" />
-
-[%# Prevent XFS attacks -%]
-[% UNLESS popup %]
-    <style id="antiClickjack">body{display:none !important;}</style>
-    <script type="text/javascript">
-       if (self === top) {
-           var antiClickjack = document.getElementById("antiClickjack");
-           antiClickjack.parentNode.removeChild(antiClickjack);
-       } else {
-           top.location = self.location;
-       }
-    </script>
-[% END %]
-
 <link rel="shortcut icon" href="[% IF ( OpacFavicon ) %][% OpacFavicon %][% ELSE %][% interface %]/[% theme %]/images/favicon.ico[% END %]" type="image/x-icon" />
 [% IF ( bidi ) %]
     <link rel="stylesheet" type="text/css" href="[% interface %]/[% theme %]/lib/bootstrap/css/bootstrap-rtl.min.css" />
diff --git a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
index fdb1d72..4db0d1a 100644
--- a/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
+++ b/koha-tmpl/opac-tmpl/bootstrap/en/modules/opac-idref.tt
@@ -1,7 +1,7 @@
 [% INCLUDE 'doc-head-open.inc' %]
 <title>[% IF ( LibraryNameTitle ) %][% LibraryNameTitle %][% ELSE %]Koha online[% END %] catalog &rsaquo; Your search IDREF for ppn [% unimarc3 %]</title>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-[% INCLUDE 'doc-head-close.inc' popup => 1 %]
+[% INCLUDE 'doc-head-close.inc' %]
 [% BLOCK cssinclude %]
   <style type="text/css">
     ul.ui-tabs-nav li a, ul.ui-tabs-nav li span.a  { padding:0.6em 1em; }
-- 
1.7.2.5

