mirror of
https://github.com/Combodo/iTop.git
synced 2026-04-19 08:38:45 +02:00
N°4368 add sending X-Content-Type-Options HTTP header
Replace in consumers the \WebPage::add_xframe_options call by \WebPage::add_http_headers
This commit is contained in:
Pierre Goiffon
@@ -42,7 +42,7 @@ class ajax_page extends WebPage implements iTabbedPage
|
|||||||
$this->m_sReadyScript = "";
|
$this->m_sReadyScript = "";
|
||||||
//$this->add_header("Content-type: text/html; charset=utf-8");
|
//$this->add_header("Content-type: text/html; charset=utf-8");
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
$this->m_oTabs = new TabManager();
|
$this->m_oTabs = new TabManager();
|
||||||
$this->sContentType = 'text/html';
|
$this->sContentType = 'text/html';
|
||||||
$this->sContentDisposition = 'inline';
|
$this->sContentDisposition = 'inline';
|
||||||
|
|||||||
@@ -33,7 +33,7 @@ class CSVPage extends WebPage
|
|||||||
parent::__construct($s_title);
|
parent::__construct($s_title);
|
||||||
$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
|
$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
//$this->add_header("Content-Transfer-Encoding: binary");
|
//$this->add_header("Content-Transfer-Encoding: binary");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -71,7 +71,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
|
|||||||
$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
|
$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
|
||||||
$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
|
$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
$this->add_linked_stylesheet("../css/jquery.treeview.css");
|
$this->add_linked_stylesheet("../css/jquery.treeview.css");
|
||||||
$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
|
$this->add_linked_stylesheet("../css/jquery.autocomplete.css");
|
||||||
$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");
|
$this->add_linked_stylesheet("../css/jquery-ui-timepicker-addon.css");
|
||||||
|
|||||||
@@ -85,7 +85,7 @@ class LoginWebPage extends NiceWebPage
|
|||||||
parent::__construct($sTitle);
|
parent::__construct($sTitle);
|
||||||
$this->SetStyleSheet();
|
$this->SetStyleSheet();
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
}
|
}
|
||||||
|
|
||||||
public function SetStyleSheet()
|
public function SetStyleSheet()
|
||||||
|
|||||||
@@ -482,12 +482,25 @@ class WebPage implements Page
|
|||||||
$this->a_headers[] = $s_header;
|
$this->a_headers[] = $s_header;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @param string|null $sXFrameOptionsHeaderValue passed to {@see add_xframe_options}
|
||||||
|
*
|
||||||
|
* @return void
|
||||||
|
* @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation, replace {@see add_xframe_options} consumers call
|
||||||
|
*/
|
||||||
|
public function add_http_headers($sXFrameOptionsHeaderValue = null)
|
||||||
|
{
|
||||||
|
$this->add_xframe_options($sXFrameOptionsHeaderValue);
|
||||||
|
$this->add_xcontent_type_options();
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
|
* @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
|
||||||
*
|
*
|
||||||
* @since 2.7.3 3.0.0 N°3416
|
* @since 2.7.3 3.0.0 N°3416
|
||||||
* @uses security_header_xframe config parameter
|
* @uses security_header_xframe config parameter
|
||||||
* @uses \utils::GetConfig()
|
* @uses \utils::GetConfig()
|
||||||
|
*
|
||||||
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
||||||
*/
|
*/
|
||||||
public function add_xframe_options($sHeaderValue = null)
|
public function add_xframe_options($sHeaderValue = null)
|
||||||
@@ -499,6 +512,17 @@ class WebPage implements Page
|
|||||||
$this->add_header('X-Frame-Options: '.$sHeaderValue);
|
$this->add_header('X-Frame-Options: '.$sHeaderValue);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @return void
|
||||||
|
* @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
|
||||||
|
*
|
||||||
|
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
|
||||||
|
*/
|
||||||
|
public function add_xcontent_type_options()
|
||||||
|
{
|
||||||
|
$this->add_header('X-Content-Type-Options: nosniff');
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Add needed headers to the page so that it will no be cached
|
* Add needed headers to the page so that it will no be cached
|
||||||
*/
|
*/
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ class XMLPage extends WebPage
|
|||||||
$this->m_bHeaderSent = false;
|
$this->m_bHeaderSent = false;
|
||||||
$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
|
$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
$this->add_header("Content-location: export.xml");
|
$this->add_header("Content-location: export.xml");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ class HubConnectorPage extends NiceWebPage
|
|||||||
parent::__construct($sTitle);
|
parent::__construct($sTitle);
|
||||||
|
|
||||||
$this->no_cache();
|
$this->no_cache();
|
||||||
$this->add_xframe_options();
|
$this->add_http_headers();
|
||||||
|
|
||||||
$sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
|
$sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
|
||||||
$sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';
|
$sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';
|
||||||
|
|||||||
@@ -67,7 +67,7 @@ try
|
|||||||
|
|
||||||
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
||||||
// so we're resetting its value ! (see N°3416)
|
// so we're resetting its value ! (see N°3416)
|
||||||
$oPage->add_xframe_options('');
|
$oPage->add_http_headers('');
|
||||||
|
|
||||||
$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
|
$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
|
||||||
}
|
}
|
||||||
@@ -88,7 +88,7 @@ try
|
|||||||
|
|
||||||
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
||||||
// so we're resetting its value ! (see N°3416)
|
// so we're resetting its value ! (see N°3416)
|
||||||
$oPage->add_xframe_options('');
|
$oPage->add_http_headers('');
|
||||||
|
|
||||||
$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
|
$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
|
||||||
}
|
}
|
||||||
@@ -103,7 +103,7 @@ try
|
|||||||
|
|
||||||
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
||||||
// so we're resetting its value ! (see N°3416)
|
// so we're resetting its value ! (see N°3416)
|
||||||
$oPage->add_xframe_options('');
|
$oPage->add_http_headers('');
|
||||||
|
|
||||||
$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
|
$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
|
||||||
break;
|
break;
|
||||||
|
|||||||
@@ -1036,7 +1036,7 @@ try
|
|||||||
|
|
||||||
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
|
||||||
// so we're resetting its value ! (see N°3416)
|
// so we're resetting its value ! (see N°3416)
|
||||||
$oPage->add_xframe_options('');
|
$oPage->add_http_headers('');
|
||||||
|
|
||||||
// N°4129 - Prevent XSS attacks & other script executions
|
// N°4129 - Prevent XSS attacks & other script executions
|
||||||
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
|
if (utils::GetConfig()->Get('security.disable_inline_documents_sandbox') === false) {
|
||||||
|
|||||||
@@ -38,7 +38,7 @@ $oP = new SetupPage('iTop email test utility');
|
|||||||
|
|
||||||
// Although this page doesn't expose sensitive info, with it we can send multiple emails
|
// Although this page doesn't expose sensitive info, with it we can send multiple emails
|
||||||
// So we're adding this http header to reduce CSRF exposure...
|
// So we're adding this http header to reduce CSRF exposure...
|
||||||
$oP->add_xframe_options('DENY');
|
$oP->add_http_headers('DENY');
|
||||||
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|||||||
@@ -576,7 +576,7 @@ abstract class Controller
|
|||||||
{
|
{
|
||||||
case 'html':
|
case 'html':
|
||||||
$this->m_oPage = new iTopWebPage($this->GetOperationTitle());
|
$this->m_oPage = new iTopWebPage($this->GetOperationTitle());
|
||||||
$this->m_oPage->add_xframe_options();
|
$this->m_oPage->add_http_headers();
|
||||||
|
|
||||||
if ($this->m_bIsBreadCrumbEnabled) {
|
if ($this->m_bIsBreadCrumbEnabled) {
|
||||||
if (count($this->m_aBreadCrumbEntry) > 0) {
|
if (count($this->m_aBreadCrumbEntry) > 0) {
|
||||||
|
|||||||
@@ -782,7 +782,7 @@ try
|
|||||||
|
|
||||||
case 'create_structure':
|
case 'create_structure':
|
||||||
$oP->no_cache();
|
$oP->no_cache();
|
||||||
$oP->add_xframe_options('DENY');
|
$oP->add_http_headers('DENY');
|
||||||
$iPlannedContacts = Utils::ReadParam('plannedcontacts');
|
$iPlannedContacts = Utils::ReadParam('plannedcontacts');
|
||||||
$iPlannedContracts = Utils::ReadParam('plannedcontracts');
|
$iPlannedContracts = Utils::ReadParam('plannedcontracts');
|
||||||
|
|
||||||
|
|||||||
@@ -44,7 +44,7 @@ function ReportErrorAndExit($sErrorMessage)
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
$oP = new WebPage("iTop - Export");
|
$oP = new WebPage("iTop - Export");
|
||||||
$oP->add_xframe_options();
|
$oP->add_http_headers();
|
||||||
$oP->p('ERROR: '.$sErrorMessage);
|
$oP->p('ERROR: '.$sErrorMessage);
|
||||||
$oP->output();
|
$oP->output();
|
||||||
exit(-1);
|
exit(-1);
|
||||||
@@ -63,7 +63,7 @@ function ReportErrorAndUsage($sErrorMessage)
|
|||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$oP = new WebPage("iTop - Export");
|
$oP = new WebPage("iTop - Export");
|
||||||
$oP->add_xframe_options();
|
$oP->add_http_headers();
|
||||||
$oP->p('ERROR: '.$sErrorMessage);
|
$oP->p('ERROR: '.$sErrorMessage);
|
||||||
Usage($oP);
|
Usage($oP);
|
||||||
$oP->output();
|
$oP->output();
|
||||||
@@ -729,14 +729,14 @@ try
|
|||||||
// Note: Using NiceWebPage only for HTML export as it includes JS scripts & files, which makes no sense in other export formats. More over, it breaks Excel spreadsheet import.
|
// Note: Using NiceWebPage only for HTML export as it includes JS scripts & files, which makes no sense in other export formats. More over, it breaks Excel spreadsheet import.
|
||||||
if($oExporter instanceof HTMLBulkExport) {
|
if($oExporter instanceof HTMLBulkExport) {
|
||||||
$oP = new NiceWebPage('iTop export');
|
$oP = new NiceWebPage('iTop export');
|
||||||
$oP->add_xframe_options();
|
$oP->add_http_headers();
|
||||||
$oP->add_ready_script("$('table.listResults').tablesorter({widgets: ['MyZebra']});");
|
$oP->add_ready_script("$('table.listResults').tablesorter({widgets: ['MyZebra']});");
|
||||||
$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
|
$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
|
||||||
$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
|
$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$oP = new WebPage('iTop export');
|
$oP = new WebPage('iTop export');
|
||||||
$oP->add_xframe_options();
|
$oP->add_http_headers();
|
||||||
$oP->add_style("table br { mso-data-placement:same-cell; }"); // Trick for Excel: keep line breaks inside the same cell !
|
$oP->add_style("table br { mso-data-placement:same-cell; }"); // Trick for Excel: keep line breaks inside the same cell !
|
||||||
}
|
}
|
||||||
$oP->add_style("body { overflow: auto; }");
|
$oP->add_style("body { overflow: auto; }");
|
||||||
@@ -759,7 +759,7 @@ catch (BulkExportMissingParameterException $e)
|
|||||||
}
|
}
|
||||||
catch (Exception $e) {
|
catch (Exception $e) {
|
||||||
$oP = new WebPage('iTop Export');
|
$oP = new WebPage('iTop Export');
|
||||||
$oP->add_xframe_options();
|
$oP->add_http_headers();
|
||||||
$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
|
$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
|
||||||
IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
|
IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
|
||||||
$oP->output();
|
$oP->output();
|
||||||
|
|||||||
Reference in New Issue
Block a user