diff --git a/includes/seckit.form.inc b/includes/seckit.form.inc index 7907318..c2d94de 100644 --- a/includes/seckit.form.inc +++ b/includes/seckit.form.inc @@ -272,7 +272,7 @@ function seckit_admin_form() { '#type' => 'textarea', '#title' => t('Allow-From'), '#default_value' => implode("\n", $options['seckit_clickjacking']['x_frame_allow_from']), - '#description' => t('Origin URIs (as specified by RFC 6454) for the "X-Frame-Options: Allow-From" value. One per line. Example, http://domain.com'), + '#description' => t('Origin URIs (as specified by RFC 6454) for the "X-Frame-Options: Allow-From" value. Space separated list of domains. Example: http://domain.com http://example.net'), ); // enable/disable JS + CSS + Noscript protection diff --git a/seckit.module b/seckit.module index 693e76a..cacf694 100644 --- a/seckit.module +++ b/seckit.module @@ -393,7 +393,7 @@ function _seckit_x_frame($setting) { $allowed = $options['seckit_clickjacking']['x_frame_allow_from']; if (count($allowed) == 1) { $value = array_pop($allowed); - drupal_add_http_header('X-Frame-Options', "Allow-From: $value"); + drupal_add_http_header('X-Frame-Options', "ALLOW-FROM $value"); } // If there were multiple values, then seckit_boot() took care of it. break; diff --git a/seckit.test b/seckit.test index af99e46..85f86b8 100644 --- a/seckit.test +++ b/seckit.test @@ -279,8 +279,8 @@ class SecKitTestCase extends DrupalWebTestCase { $form['seckit_clickjacking[x_frame]'] = SECKIT_X_FRAME_ALLOW_FROM; $form['seckit_clickjacking[x_frame_allow_from]'] = 'http://www.google.com'; $this->drupalPost('admin/config/system/seckit', $form, t('Save configuration')); - $this->assertEqual('Allow-From: http://www.google.com', $this->drupalGetHeader('X-Frame-Options'), - t('X-Frame-Options is set to Allow-From.')); + $this->assertEqual('ALLOW-FROM http://www.google.com', $this->drupalGetHeader('X-Frame-Options'), + t('X-Frame-Options is set to ALLOW-FROM.')); } /**