From 1304e2eb2d422deb8abd89cc7570828f18ae504d Mon Sep 17 00:00:00 2001
From: Pierre Goiffon <pierre.goiffon@combodo.com>
Date: Fri, 4 Dec 2020 08:43:09 +0100
Subject: [PATCH] =?UTF-8?q?N=C2=B03416=20Updates=20after=20code=20review?=
 =?UTF-8?q?=20v2=20:)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 pages/ajax.document.php | 18 +++++++++++++++---
 pages/ajax.render.php   |  6 +++++-
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/pages/ajax.document.php b/pages/ajax.document.php
index 80de595b0..c1bb4c667 100644
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -64,7 +64,11 @@ try
 					$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 					$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
 					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
-					$oPage->add_xframe_options(''); // the header is set in page constructor, we reset its value ! See N°3416
+
+					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+					// so we're resetting its value ! (see N°3416)
+					$oPage->add_xframe_options('');
+
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
 			}
@@ -81,7 +85,11 @@ try
 				$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 				$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
 				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
-				$oPage->add_xframe_options(''); // the header is set in page constructor, we reset its value ! See N°3416
+
+				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+				// so we're resetting its value ! (see N°3416)
+				$oPage->add_xframe_options('');
+
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
 			break;
@@ -92,7 +100,11 @@ try
 			$oPage->SetContentType('text/javascript');
 			$oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours
 			$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
-			$oPage->add_xframe_options(''); // the header is set in page constructor, we reset its value ! See N°3416
+
+			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+			// so we're resetting its value ! (see N°3416)
+			$oPage->add_xframe_options('');
+
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;
 			
diff --git a/pages/ajax.render.php b/pages/ajax.render.php
index b2f167be9..688b670d1 100644
--- a/pages/ajax.render.php
+++ b/pages/ajax.render.php
@@ -958,7 +958,11 @@ try
 			if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
 			{
 				$oKPI = new ExecutionKPI();
-				$oPage->add_xframe_options(''); // the header is set in page constructor, we reset its value ! See N°3416
+
+				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+				// so we're resetting its value ! (see N°3416)
+				$oPage->add_xframe_options('');
+
 				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline');
 				$oKPI->ComputeAndReport('Data fetch and format');
 			}