Merge remote-tracking branch 'origin/support/2.7' into develop

# Conflicts: # application/ajaxwebpage.class.inc.php # application/csvpage.class.inc.php # application/itopwebpage.class.inc.php # application/webpage.class.inc.php # application/xmlpage.class.inc.php # core/config.class.inc.php # css/css-variables.scss # datamodels/2.x/version.xml # pages/ajax.document.php # pages/ajax.render.php # pages/ajax.searchform.php # sources/application/TwigBase/Controller/Controller.php
2026-02-12 23:14:18 +01:00 · 2020-12-10 17:59:16 +01:00
parent abf6d5422e c4756e8cec
commit 96e7f57a34
34 changed files with 489 additions and 154 deletions
--- a/pages/ajax.document.php
+++ b/pages/ajax.document.php
@@ -36,7 +36,6 @@ try
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');

 	$oPage = new AjaxPage("");
-	$oPage->no_cache();

 	$operation = utils::ReadParam('operation', '');
 	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');
@@ -59,9 +58,14 @@ try
 				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'attachment');
 				if ($iCacheSec > 0)
 				{
-					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
 					$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 					$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
+
+					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+					// so we're resetting its value ! (see N°3416)
+					$oPage->add_xframe_options('');
+
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
 			}
@@ -73,12 +77,16 @@ try
 			$id = utils::ReadParam('id', '');
 			$sSecret = utils::ReadParam('s', '');
 			$iCacheSec = 31556926; // One year ahead: an inline image cannot change
-			if (!empty($id) && !empty($sSecret))
-			{
+			if (!empty($id) && !empty($sSecret)) {
 				ormDocument::DownloadDocument($oPage, 'InlineImage', $id, 'contents', 'inline', 'secret', $sSecret);
-				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
 				$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 				$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
+
+				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+				// so we're resetting its value ! (see N°3416)
+				$oPage->add_xframe_options('');
+
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
 			break;
@@ -89,6 +97,11 @@ try
 			$oPage->SetContentType('text/javascript');
 			$oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours
 			$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+
+			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
+			// so we're resetting its value ! (see N°3416)
+			$oPage->add_xframe_options('');
+
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;