N°4368 add sending X-Content-Type-Options HTTP header

Replace in consumers the \WebPage::add_xframe_options call by \WebPage::add_http_headers

application/ajaxwebpage.class.inc.php

@@ -42,7 +42,7 @@ class ajax_page extends WebPage implements iTabbedPage
 		$this->m_sReadyScript = "";
 		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->m_oTabs = new TabManager();
 		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';

application/csvpage.class.inc.php

@@ -33,7 +33,7 @@ class CSVPage extends WebPage
 		parent::__construct($s_title);
 		$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		//$this->add_header("Content-Transfer-Encoding: binary");
 	}
 

application/itopwebpage.class.inc.php

@@ -71,7 +71,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
 		$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_linked_stylesheet("../css/jquery.treeview.css");
 		$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
 		$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");

application/loginwebpage.class.inc.php

@@ -85,7 +85,7 @@ class LoginWebPage extends NiceWebPage
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 	}
 	
 	public function SetStyleSheet()

application/webpage.class.inc.php

@@ -482,12 +482,25 @@ class WebPage implements Page
 		$this->a_headers[] = $s_header;
 	}
 
+	/**
+	 * @param string|null $sXFrameOptionsHeaderValue passed to {@see add_xframe_options}
+	 *
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation, replace {@see add_xframe_options} consumers call
+	 */
+	public function add_http_headers($sXFrameOptionsHeaderValue = null)
+	{
+		$this->add_xframe_options($sXFrameOptionsHeaderValue);
+		$this->add_xcontent_type_options();
+	}
+
 	/**
 	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
 	 *
 	 * @since 2.7.3 3.0.0 N°3416
 	 * @uses security_header_xframe config parameter
 	 * @uses \utils::GetConfig()
+	 *
 	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 	 */
 	public function add_xframe_options($sHeaderValue = null)
@@ -499,6 +512,17 @@ class WebPage implements Page
 		$this->add_header('X-Frame-Options: '.$sHeaderValue);
 	}
 
+	/**
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+	 */
+	public function add_xcontent_type_options()
+	{
+		$this->add_header('X-Content-Type-Options: nosniff');
+	}
+
 	/**
 	 * Add needed headers to the page so that it will no be cached
 	 */

application/xmlpage.class.inc.php

@@ -44,7 +44,7 @@ class XMLPage extends WebPage
 		$this->m_bHeaderSent = false;
 		$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_header("Content-location: export.xml");
 	}
 

datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php

@@ -7,7 +7,7 @@ class HubConnectorPage extends NiceWebPage
 	    parent::__construct($sTitle);
 
 	    $this->no_cache();
-	    $this->add_xframe_options();
+	    $this->add_http_headers();
 
 	    $sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
 	    $sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';

pages/ajax.document.php

@@ -67,7 +67,7 @@ try
 
 					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 					// so we're resetting its value ! (see N°3416)
-					$oPage->add_xframe_options('');
+					$oPage->add_http_headers('');
 
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
@@ -88,7 +88,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
@@ -103,7 +103,7 @@ try
 
 			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 			// so we're resetting its value ! (see N°3416)
-			$oPage->add_xframe_options('');
+			$oPage->add_http_headers('');
 
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;

pages/ajax.render.php

@@ -1036,7 +1036,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				// N°4129 - Prevent XSS attacks & other script executions
 				if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {

setup/email.test.php

@@ -38,7 +38,7 @@ $oP = new SetupPage('iTop email test utility');
 
 // Although this page doesn't expose sensitive info, with it we can send multiple emails
 // So we're adding this http header to reduce CSRF exposure...
-$oP->add_xframe_options('DENY');
+$oP->add_http_headers('DENY');
 
 
 /**

sources/application/TwigBase/Controller/Controller.php

@@ -576,7 +576,7 @@ abstract class Controller
 		{
 			case 'html':
 				$this->m_oPage = new iTopWebPage($this->GetOperationTitle());
-				$this->m_oPage->add_xframe_options();
+				$this->m_oPage->add_http_headers();
 
 				if ($this->m_bIsBreadCrumbEnabled) {
 					if (count($this->m_aBreadCrumbEntry) > 0) {

tests/php-unit-tests/legacy-tests/benchmark.php

@@ -782,7 +782,7 @@ try
 
 		case 'create_structure':
 			$oP->no_cache();
-			$oP->add_xframe_options('DENY');
+			$oP->add_http_headers('DENY');
 			$iPlannedContacts = Utils::ReadParam('plannedcontacts');
 			$iPlannedContracts = Utils::ReadParam('plannedcontracts');
 

webservices/export-v2.php

@@ -44,7 +44,7 @@ function ReportErrorAndExit($sErrorMessage)
 	else
 	{
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.$sErrorMessage);
 		$oP->output();
 		exit(-1);
@@ -63,7 +63,7 @@ function ReportErrorAndUsage($sErrorMessage)
 	}
 	else {
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.$sErrorMessage);
 		Usage($oP);
 		$oP->output();
@@ -729,14 +729,14 @@ try
 			// Note: Using NiceWebPage only for HTML export as it includes JS scripts & files, which makes no sense in other export formats. More over, it breaks Excel spreadsheet import.
 			if($oExporter instanceof HTMLBulkExport) {
 				$oP = new NiceWebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_ready_script("$('table.listResults').tablesorter({widgets: ['MyZebra']});");
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
 			}
 			else {
 				$oP = new WebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_style("table br { mso-data-placement:same-cell; }"); // Trick for Excel: keep line breaks inside the same cell !
 			}
 			$oP->add_style("body { overflow: auto; }");
@@ -759,7 +759,7 @@ catch (BulkExportMissingParameterException $e)
 }
 catch (Exception $e) {
 	$oP = new WebPage('iTop Export');
-	$oP->add_xframe_options();
+	$oP->add_http_headers();
 	$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
 	IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
 	$oP->output();