composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-04-22 01:58:47 +02:00
Code Issues Packages Projects Releases Wiki Activity

N°3416 XFrame-Options header is now set using a config parameter, defaults to SAMEORIGIN

Browse Source 
Also adds an indirection (\WebPage::add_xframe_options) to set header
This commit is contained in:
Pierre Goiffon
2020-12-02 16:47:28 +01:00
parent 1cf1473d6b
commit 8bfcb14d0c
12 changed files with 58 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
application/ajaxwebpage.class.inc.php
View File

@@ -44,7 +44,7 @@ class ajax_page extends WebPage implements iTabbedPage
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options();
$this->m_oTabs = new TabManager();
$this->sContentType = 'text/html';
$this->sContentDisposition = 'inline';

2
application/csvpage.class.inc.php
View File

@@ -35,7 +35,7 @@ class CSVPage extends WebPage
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options();
//$this->add_header("Content-Transfer-Encoding: binary");
}

2
application/itopwebpage.class.inc.php
View File

@@ -74,7 +74,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options();
$this->add_linked_stylesheet("../css/jquery.treeview.css");
$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");

2
application/loginwebpage.class.inc.php
View File

@@ -87,7 +87,7 @@ class LoginWebPage extends NiceWebPage
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options();
}
public function SetStyleSheet()

19
application/webpage.class.inc.php
View File

@@ -482,6 +482,23 @@ class WebPage implements Page
$this->a_headers[] = $s_header;
}
/**
* @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
*
* @since 2.7.2-2 3.0.0 N°3416
* @uses security_header_xframe config parameter
* @uses \utils::GetConfig()
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
*/
public function add_xframe_options($sHeaderValue = null)
{
if (is_null($sHeaderValue)) {
$sHeaderValue = utils::GetConfig()->Get('security_header_xframe');
}
$this->add_header('X-Frame-Options: '.$sHeaderValue);
}
/**
* Add needed headers to the page so that it will no be cached
*/
@@ -490,7 +507,7 @@ class WebPage implements Page
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options(); //FIXME shouldn't be done here !!!!!
}
/**

2
application/xmlpage.class.inc.php
View File

@@ -46,7 +46,7 @@ class XMLPage extends WebPage
$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
$this->add_header('Pragma: no-cache');
$this->add_header('Expires: 0');
$this->add_header('X-Frame-Options: deny');
$this->add_xframe_options();
$this->add_header("Content-location: export.xml");
}