Add framebusting to Phabricator.

Summary:
Technically we didn't have it in the first place, but should. Also
add in X-Frame-Options for double-plus-good.

Test Plan:
Created a page with Phabricator in an <iframe />, got busted out
of it. Added in the X-Frame-Options, got an empty iframe.

Differential Revision: 38
Reviewed By: tomo
Reviewers: mroch, tomo

src/aphront/response/webpage/AphrontWebpageResponse.php

@@ -34,7 +34,8 @@ class AphrontWebpageResponse extends AphrontResponse {
 
   public function getHeaders() {
     return array(
-      array('Content-Type', 'text/html; charset=UTF-8'),
+      array('Content-Type',    'text/html; charset=UTF-8'),
+      array('X-Frame-Options', 'Deny'),
     );
   }
 

src/view/page/standard/PhabricatorStandardPageView.php

@@ -98,8 +98,11 @@ class PhabricatorStandardPageView extends AphrontPageView {
   protected function getHead() {
     $response = CelerityAPI::getStaticResourceResponse();
     return
+      '<script type="text/javascript">'.
+        '(top != self) && top.location.replace(self.location.href);'.
+        'window.__DEV__=1;'.
+      '</script>'.
       $response->renderResourcesOfType('css').
-      '<script type="text/javascript">window.__DEV__=1;</script>'.
       '<script type="text/javascript" src="/rsrc/js/javelin/init.dev.js">'.
       '</script>';
   }