Backport the frame ancestors self switch to this plugin (#26)

* backport the frame ancestors self switch

* add translations thanks @jeckodevelopment @Sandra97 and @pe7er

httpheader.php

@@ -328,7 +328,7 @@ private function setCspHeader()
 		}
 
 		// Add the xframeoptions directive to the CSP too when enabled
-		if ($this->params->get('xframeoptions'))
+		if ($this->params->get('xframeoptions', 1) || $this->params->get('frame_ancestors_self_enabled', 1))
 		{
 			$newCspValues[] = "frame-ancestors 'self'";
 		}

httpheader.xml

@@ -200,6 +200,18 @@
 					<option value="0">JDISABLED</option>
 					<option value="1">JENABLED</option>
 				</field>
+				<field
+					name="frame_ancestors_self_enabled"
+					type="radio"
+					label="PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED"
+					description="PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC"
+					class="btn-group btn-group-yesno"
+					default="1"
+					showon="contentsecuritypolicy:1"
+					>
+					<option value="0">JDISABLED</option>
+					<option value="1">JENABLED</option>
+				</field>
 				<field
 					name="contentsecuritypolicy_values"
 					type="subform"

language/de-DE/de-DE.plg_system_httpheader.ini

@@ -10,6 +10,8 @@ PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="HTTP Header"
 PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="HTTP Header Wert"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction' target='_blank' rel='noopener noreferrer'>Content Security Policy (CSP)</a>"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_DESC="Mit dieser Option können alle Werte für die 'Content-Security-Policy' individuell eingestellt werden."
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Aktivieren Sie den Content-Security-Policy Clickjacking-Schutz und lassen Sie nur den Origin 'self' zu. Bitte verwenden Sie das unten stehende Formular, um andere Origins als 'self' zu erlauben."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Diese Option verwendet den Header 'Content-Security-Policy-Report-Only' anstelle von 'Content-Security-Policy'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_SCRIPT_HASHES_ENABLED="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction/#hash' target='_blank' rel='noopener noreferrer'>Script hashes</a>"

language/en-GB/en-GB.plg_system_httpheader.ini

@@ -10,6 +10,8 @@ PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="HTTP Header"
 PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="HTTP Header Value"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction' target='_blank' rel='noopener noreferrer'>Content Security Policy (CSP)</a>"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_DESC="With this option all values for the 'Content-Security-Policy' can be set individually."
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Enable the CSP clickjacking protection frame-ancestors and only allow the origin 'self'. Please use the form below to allow origins other than 'self'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="This option uses the header 'Content-Security-Policy-Report-Only' instead of 'Content-Security-Policy'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_SCRIPT_HASHES_ENABLED="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction/#hash' target='_blank' rel='noopener noreferrer'>Script hashes</a>"

language/fr-FR/fr-FR.plg_system_httpheader.ini

@@ -12,6 +12,8 @@ PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="En-tête HTTP"
 PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="Valeur de l'en-tête HTTP"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction' target='_blank' rel='noopener noreferrer'>Politique de sécurité du contenu (CSP)</a>"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_DESC="Avec cette option, toutes les valeurs de la 'Content-Security-Policy' peuvent être réglées individuellement."
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Activer la protection CSP frame-ancestors contre le détournement de clic et n'autoriser que l'origine 'self'. Veuillez utiliser le formulaire ci-dessous pour autoriser les origines autres que 'self'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Cette option utilise l'en-tête 'Content-Security-Policy-Report-Only' au lieu de 'Content-Security-Policy'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY="Rapport-uniquement"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Cette option utilise l'en-tête 'Content-Security-Policy-Report-Only' au lieu de 'Content-Security-Policy'."

language/it-IT/it-IT.plg_system_httpheader.ini

@@ -11,6 +11,8 @@ PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="Header HTTP"
 PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="Valore Header HTTP"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction' target='_blank' rel='noopener noreferrer'>Content Security Policy (CSP)</a>"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_DESC="Con quest'opzione tutti i valori per la 'Content-Security-Policy' possono essere impostati individualmente."
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Abilita la protezione CSP da clickjacking frame-ancestors e consenti solo l'origine 'self'. Utilizza il modulo sottostante per abilitare altre origini diverse da 'self'."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Quest'opzione utilizza l'header 'Content-Security-Policy-Report-Only' invece di 'Content-Security-Policy."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_VALUES="Aggiungi valore"

language/nl-NL/nl-NL.plg_system_httpheader.ini

@@ -11,6 +11,8 @@ PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_KEY="HTTP Header"
 PLG_SYSTEM_HTTPHEADER_ADDITIONAL_HEADER_VALUE="HTTP Header waarde"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY="<a href='https://scotthelme.co.uk/content-security-policy-an-introduction' target='_blank' rel='noopener noreferrer'>Content Security Policy (CSP)</a>"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_DESC="Met deze optie kunnen alle waarden voor het 'Content-Security-Policy' individueel worden ingesteld"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED="frame-ancestors 'self'"
+PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_FRAME_ANCESTORS_SELF_ENABLED_DESC="Schakel de CSP clickjacking bescherming voor frame-ancestors in en sta alleen 'self' als bron toe. Gebruik het onderstaande formulier om andere bronnen dan 'self' toe te staan."
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY_DESC="Deze optie gebruikt de Header 'Content-Security-Policy-Report-Only' in plaats van 'Content-Security-Policy'"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_REPORT_ONLY="Report-Only"
 PLG_SYSTEM_HTTPHEADER_CONTENTSECURITYPOLICY_VALUES="Waarde toevoegen"