From a55ab27c67c8f1b2bdedccbbbb5b3f0ae48f92f5 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Thu, 14 Jul 2022 14:59:28 +0200
Subject: [PATCH] Fix http header

---
 htdocs/install/inc.php | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/htdocs/install/inc.php b/htdocs/install/inc.php
index 6ca9a99cdcf..a20c3489866 100644
--- a/htdocs/install/inc.php
+++ b/htdocs/install/inc.php
@@ -195,6 +195,10 @@ if (preg_match('/install\.lock/i', $_SERVER["SCRIPT_FILENAME"])) {
 		$langs->setDefaultLang('auto');
 	}
 	$langs->load("install");
+
+	header("X-Content-Type-Options: nosniff");
+	header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
 	print $langs->trans("YouTryInstallDisabledByDirLock");
 	if (!empty($dolibarr_main_url_root)) {
 		print 'Click on following link, <a href="'.$dolibarr_main_url_root.'/admin/index.php?mainmenu=home&leftmenu=setup'.(GETPOSTISSET("login") ? '&username='.urlencode(GETPOST("login")) : '').'">';
@@ -216,6 +220,10 @@ if (@file_exists($lockfile)) {
 		$langs->setDefaultLang('auto');
 	}
 	$langs->load("install");
+
+	header("X-Content-Type-Options: nosniff");
+	header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
+
 	print $langs->trans("YouTryInstallDisabledByFileLock");
 	if (!empty($dolibarr_main_url_root)) {
 		print $langs->trans("ClickOnLinkOrRemoveManualy").'<br>';