On Wed, Oct 19, 2011 at 8:05 PM, Andreas Dick <andudi@gmx.ch> wrote:

Am Mittwoch, 19. Oktober 2011, um 08.15:49 schrieb A.L.E.C:

> On 18.10.2011 22:17, Andreas Dick wrote:
> > security error: content at http://realserver.ch/roundcube/ is not allowed
> > to load data from von http://niceurl.ch/
>
> // X-Frame-Options HTTP header value sent to prevent from Clickjacking.
> // Possible values: sameorigin|deny. Set to false in order to disable
> sending them
> $rcmail_config['x_frame_options'] = 'sameorigin';

thanks ALEC!
this was the problem... I did not understand this feature, now I do :-)
Andreas

Just adding my two cents here:

We need to figure out more ways to effectively prevent clickjacking.

Is running RoundCube in a frame a huge feature for you guys? Because it opens the gates for all kinds of abuse.

Till