From 97cae30a51bfde7bd5bfe46185c28e848e37ccb2 Mon Sep 17 00:00:00 2001
From: the-djmaze <>
Date: Fri, 30 Sep 2022 14:01:57 +0200
Subject: [PATCH] Drop in_iframe and X-Frame-Options due to CSP, found while
 investigating #537

---
 dev/App/Abstract.js                                           | 4 +---
 dev/App/User.js                                               | 4 ++--
 dev/bootstrap.js                                              | 2 +-
 snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php         | 1 -
 .../v/0.0.0/app/libraries/RainLoop/Config/Application.php     | 2 --
 snappymail/v/0.0.0/app/libraries/RainLoop/Service.php         | 4 +---
 6 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/dev/App/Abstract.js b/dev/App/Abstract.js
index a104e1cca..24d1cf9c9 100644
--- a/dev/App/Abstract.js
+++ b/dev/App/Abstract.js
@@ -1,7 +1,5 @@
 import ko from 'ko';
 
-import { Settings } from 'Common/Globals';
-
 import { logoutLink } from 'Common/Links';
 import { i18nToNodes, initOnStartOrLangChange } from 'Common/Translator';
 
@@ -23,7 +21,7 @@ export class AbstractApp {
 		const url = logoutLink();
 
 		if (location.href !== url) {
-			setTimeout(() => (Settings.app('inIframe') ? parent : window).location.href = url, 100);
+			setTimeout(() => location.href = url, 100);
 		} else {
 			rl.route.reload();
 		}
diff --git a/dev/App/User.js b/dev/App/User.js
index 82dfe6e4d..2188b6d9e 100644
--- a/dev/App/User.js
+++ b/dev/App/User.js
@@ -79,7 +79,7 @@ export class AppUser extends AbstractApp {
 			const currentTime = Date.now();
 			if (currentTime > (lastTime + interval + 1000)) {
 				Remote.request('Version',
-					iError => (100 < iError) && (Settings.app('inIframe') ? parent : window).location.reload(),
+					iError => (100 < iError) && location.reload(),
 					{ Version: Settings.app('version') }
 				);
 			}
@@ -211,7 +211,7 @@ export class AppUser extends AbstractApp {
 		Remote.request('Logout', () => {
 			const customLogoutLink = Settings.app('customLogoutLink');
 			if (customLogoutLink) {
-				((window.parent && Settings.app('inIframe')) ? window.parent : window).location.href = customLogoutLink;
+				location.href = customLogoutLink;
 			} else {
 				rl.logoutReload()
 			}
diff --git a/dev/bootstrap.js b/dev/bootstrap.js
index 95aed4389..0b800da8b 100644
--- a/dev/bootstrap.js
+++ b/dev/bootstrap.js
@@ -39,7 +39,7 @@ export default App => {
 		},
 		reload: () => {
 			rl.route.root();
-			setTimeout(() => (Settings.app('inIframe') ? parent : window).location.reload(), 100);
+			setTimeout(() => location.reload(), 100);
 		},
 		off: () => hasher.active = false,
 		on: () => hasher.active = true
diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
index 469cb5ddf..30cd918ac 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Actions.php
@@ -652,7 +652,6 @@ class Actions
 			'version' => APP_VERSION,
 			'admin' => $bAdmin,
 			'token' => $oConfig->Get('security', 'csrf_protection', false) ? Utils::GetCsrfToken() : '',
-			'inIframe' => (bool)$oConfig->Get('labs', 'in_iframe', false),
 			'allowHtmlEditorBitiButtons' => (bool)$oConfig->Get('labs', 'allow_html_editor_biti_buttons', false),
 			'allowCtrlEnterOnCompose' => (bool)$oConfig->Get('labs', 'allow_ctrl_enter_on_compose', false),
 			'useImapThread' => (bool)$oConfig->Get('labs', 'use_imap_thread', false),
diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
index dbba3e460..3f0fdfb3b 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Config/Application.php
@@ -168,7 +168,6 @@ class Application extends \RainLoop\Config\AbstractConfig
 				    'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
 
 				'custom_server_signature'    => array('SnappyMail'),
-				'x_frame_options_header'     => array('DENY'),
 				'x_xss_protection_header'    => array('1; mode=block'),
 
 				'openpgp'                    => array(false),
@@ -375,7 +374,6 @@ Enables caching in the system'),
 				'folders_spec_limit' => array(50),
 				'curl_proxy' => array(''),
 				'curl_proxy_auth' => array(''),
-				'in_iframe' => array(false),
 				'force_https' => array(false),
 				'custom_login_link' => array(''),
 				'custom_logout_link' => array(''),
diff --git a/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php b/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
index b3783ae96..3733f9b46 100644
--- a/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
+++ b/snappymail/v/0.0.0/app/libraries/RainLoop/Service.php
@@ -43,9 +43,6 @@ abstract class Service
 
 		static::setCSP();
 
-		$sXFrameOptionsHeader = \trim($oConfig->Get('security', 'x_frame_options_header', '')) ?: 'DENY';
-		\header('X-Frame-Options: '.$sXFrameOptionsHeader);
-
 		$sXssProtectionOptionsHeader = \trim($oConfig->Get('security', 'x_xss_protection_header', '')) ?: '1; mode=block';
 		\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader);
 
@@ -250,6 +247,7 @@ abstract class Service
 		$CSP = new \SnappyMail\HTTP\CSP(\trim(Api::Config()->Get('security', 'content_security_policy', '')));
 		$CSP->report = Api::Config()->Get('security', 'csp_report', false);
 		$CSP->report_only = Api::Config()->Get('debug', 'enable', false); // '0.0.0' === APP_VERSION
+//		$CSP->frame = \explode(' ', Api::Config()->Get('security', 'csp_iframe', ''));
 
 		// Allow https: due to remote images in e-mails or use proxy
 		if (!Api::Config()->Get('security', 'use_local_proxy_for_external_images', '')) {