Merge remote-tracking branch 'origin/support/2.7' into support/3.0

# Conflicts: # application/ajaxwebpage.class.inc.php # application/webpage.class.inc.php # application/xmlpage.class.inc.php # core/config.class.inc.php
2026-02-12 23:14:18 +01:00 · 2024-01-05 10:58:51 +01:00
parent 6042e7f74d a4f6f6e877
commit 48c4e2d13d
4 changed files with 52 additions and 5 deletions
--- a/core/config.class.inc.php
+++ b/core/config.class.inc.php
@@ -1531,6 +1531,14 @@ class Config
 			'source_of_value' => '',
 			'show_in_conf_sample' => false,
 		],
+		'security.enable_header_xcontent_type_options' => [
+			'type' => 'bool',
+			'description' => 'If set to false, iTop will stop sending the X-Content-Type-Options HTTP header. This header could trigger CORB protection on certain resources (JSON, XML, HTML, text) therefore blocking them.',
+			'default' => true,
+			'value' => '',
+			'source_of_value' => '',
+			'show_in_conf_sample' => false,
+		],
 		'security.disable_inline_documents_sandbox' => [
 			'type' => 'bool',
 			'description' => 'If true then the sandbox for documents displayed in a browser tab will be disabled; enabling scripts and other interactive content. Note that setting this to true will open the application to potential XSS attacks!',
--- a/sources/application/WebPage/AjaxPage.php
+++ b/sources/application/WebPage/AjaxPage.php
@@ -57,6 +57,16 @@ class AjaxPage extends WebPage implements iTabbedPage
 		$oKpi->ComputeStats(get_class($this).' creation', 'AjaxPage');
 	}

+	/**
+	 * Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 */
+	public function add_xcontent_type_options()
+	{
+		// Nothing to do !
+	}
+
 	/**
 	 * @see static::$bOutputDataOnly
 	 * @param bool $bFlag
--- a/sources/application/WebPage/WebPage.php
+++ b/sources/application/WebPage/WebPage.php
@@ -1015,13 +1015,12 @@ JS;
 	}

 	/**
-	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
+	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the `security_header_xframe` config parameter value.
 	 *
 	 * @since 2.7.3 3.0.0 N°3416
-	 * @uses security_header_xframe config parameter
 	 * @uses \utils::GetConfig()
 	 *
-	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options HTTP header MDN documentation
 	 */
 	public function add_xframe_options($sHeaderValue = null)
 	{
@@ -1033,13 +1032,34 @@ JS;
 	}

 	/**
+	 * Warning : this header will trigger the Cross-Origin Read Blocking (CORB) protection for some mime types (HTML, XML except SVG, JSON, text/plain)
+	 * In consequence some children pages will override this method.
+	 *
+	 * Sending header can be disabled globally using the `security.enable_header_xcontent_type_options` optional config parameter.
+	 *
 	 * @return void
 	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
 	 *
-	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options HTTP header MDN documentation
+	 * @link https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected "Determining whether a response is CORB-protected"
 	 */
 	public function add_xcontent_type_options()
 	{
+		try {
+			$oConfig = utils::GetConfig();
+		} catch (ConfigException|CoreException $e) {
+			$oConfig = null;
+		}
+		if (is_null($oConfig)) {
+			$bSendXContentTypeOptionsHttpHeader = true;
+		} else {
+			$bSendXContentTypeOptionsHttpHeader = $oConfig->Get('security.enable_header_xcontent_type_options');
+		}
+
+		if ($bSendXContentTypeOptionsHttpHeader === false) {
+			return;
+		}
+
 		$this->add_header('X-Content-Type-Options: nosniff');
 	}

--- a/sources/application/WebPage/XMLPage.php
+++ b/sources/application/WebPage/XMLPage.php
@@ -46,8 +46,17 @@ class XMLPage extends WebPage
 		$this->add_http_headers();
 		$this->add_header("Content-location: export.xml");
 		$oKpi->ComputeStats(get_class($this).' creation', 'XMLPage');
-	}	
+	}

+	/**
+	 * Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 */
+	public function add_xcontent_type_options()
+	{
+		// Nothing to do !
+	}
 	public function output()
 	{
 		if (!$this->m_bPassThrough)