composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°3416 XFrame-Options header is now set using a config parameter, defaults to SAMEORIGIN

Browse Source 
Also adds an indirection (\WebPage::add_xframe_options) to set header
This commit is contained in:
Pierre Goiffon
2020-12-02 16:47:28 +01:00
parent 1cf1473d6b
commit 8bfcb14d0c
12 changed files with 58 additions and 35 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pages/ajax.document.php
View File

@@ -62,9 +62,10 @@ try
ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'attachment');
if ($iCacheSec > 0)
{
$oPage->add_header("Expires: "); // Reset the value set in ajax_page
$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
$oPage->add_header("Expires: "); // Reset the value set in ajax_page
$oPage->add_xframe_options('');
$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
}
}
@@ -76,12 +77,12 @@ try
$id = utils::ReadParam('id', '');
$sSecret = utils::ReadParam('s', '');
$iCacheSec = 31556926; // One year ahead: an inline image cannot change
if (!empty($id) && !empty($sSecret))
{
if (!empty($id) && !empty($sSecret)) {
ormDocument::DownloadDocument($oPage, 'InlineImage', $id, 'contents', 'inline', 'secret', $sSecret);
$oPage->add_header("Expires: "); // Reset the value set in ajax_page
$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
$oPage->add_header("Expires: "); // Reset the value set in ajax_page
$oPage->add_xframe_options('');
$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
}
break;
@@ -92,6 +93,7 @@ try
$oPage->SetContentType('text/javascript');
$oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours
$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
$oPage->add_xframe_options('');
$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
break;

2
pages/ajax.render.php
View File

@@ -961,7 +961,7 @@ try
if (!empty($sClass) && ($sClass != 'InlineImage') && !empty($id) && !empty($sField))
{
$oKPI = new ExecutionKPI();
$oPage->add_header('X-Frame-Options:'); // resets header, see N°3416
$oPage->add_xframe_options(''); // resets header, see N°3416
ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'inline');
$oKPI->ComputeAndReport('Data fetch and format');
}