Merge remote-tracking branch 'origin/support/2.7' into develop

# Conflicts: # application/ajaxwebpage.class.inc.php # application/csvpage.class.inc.php # application/itopwebpage.class.inc.php # application/webpage.class.inc.php # application/xmlpage.class.inc.php # core/config.class.inc.php # css/css-variables.scss # datamodels/2.x/version.xml # pages/ajax.document.php # pages/ajax.render.php # pages/ajax.searchform.php # sources/application/TwigBase/Controller/Controller.php
2026-04-24 02:58:43 +02:00 · 2020-12-10 17:59:16 +01:00
parent abf6d5422e c4756e8cec
commit 96e7f57a34
34 changed files with 489 additions and 154 deletions
--- a/sources/application/WebPage/WebPage.php
+++ b/sources/application/WebPage/WebPage.php
@@ -471,6 +471,23 @@ class WebPage implements Page
 		$this->a_headers[] = $s_header;
 	}

+	/**
+	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
+	 *
+	 * @since 2.7.2-2 3.0.0 N°3416
+	 * @uses security_header_xframe config parameter
+	 * @uses \utils::GetConfig()
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+	 */
+	public function add_xframe_options($sHeaderValue = null)
+	{
+		if (is_null($sHeaderValue)) {
+			$sHeaderValue = utils::GetConfig()->Get('security_header_xframe');
+		}
+
+		$this->add_header('X-Frame-Options: '.$sHeaderValue);
+	}
+
 	/**
 	 * Add needed headers to the page so that it will no be cached
 	 */
@@ -479,7 +496,6 @@ class WebPage implements Page
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
-		$this->add_header('X-Frame-Options: deny');
 	}

 	/**