composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-13 07:24:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°4368 Fix CORB blocking regression (#598)

Browse Source 
Don't send X-Content-Type-Options HTTP header for certain WebPage impl to workaround CORB blocking
To disable globally this new behavior introduced in 9865bf07, set the `security.enable_header_xcontent_type_options` config parameter to false

Thanks @Molkobain for the review !
This commit is contained in:
Pierre Goiffon
2024-01-05 10:41:18 +01:00
committed by GitHub
parent 94c604a6af
commit a4f6f6e877
4 changed files with 52 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
application/ajaxwebpage.class.inc.php
View File

@@ -51,6 +51,16 @@ class ajax_page extends WebPage implements iTabbedPage
utils::InitArchiveMode(); utils::InitArchiveMode();
} }
/**
* Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
* @return void
* @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
*/
public function add_xcontent_type_options()
{
// Nothing to do !
}
/** /**
* @inheritDoc * @inheritDoc
* @throws \Exception * @throws \Exception

28
application/webpage.class.inc.php
View File

@@ -495,13 +495,12 @@ class WebPage implements Page
} }
/** /**
* @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value. * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the `security_header_xframe` config parameter value.
* *
* @since 2.7.3 3.0.0 N°3416 * @since 2.7.3 3.0.0 N°3416
* @uses security_header_xframe config parameter
* @uses \utils::GetConfig() * @uses \utils::GetConfig()
* *
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options HTTP header MDN documentation
*/ */
public function add_xframe_options($sHeaderValue = null) public function add_xframe_options($sHeaderValue = null)
{ {
@@ -513,13 +512,34 @@ class WebPage implements Page
} }
/** /**
* Warning : this header will trigger the Cross-Origin Read Blocking (CORB) protection for some mime types (HTML, XML except SVG, JSON, text/plain)
* In consequence some children pages will override this method.
*
* Sending header can be disabled globally using the `security.enable_header_xcontent_type_options` optional config parameter.
*
* @return void * @return void
* @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
* *
* @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options HTTP header MDN documentation
* @link https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md#determining-whether-a-response-is-corb_protected "Determining whether a response is CORB-protected"
*/ */
public function add_xcontent_type_options() public function add_xcontent_type_options()
{ {
try {
$oConfig = utils::GetConfig();
} catch (ConfigException|CoreException $e) {
$oConfig = null;
}
if (is_null($oConfig)) {
$bSendXContentTypeOptionsHttpHeader = true;
} else {
$bSendXContentTypeOptionsHttpHeader = $oConfig->Get('security.enable_header_xcontent_type_options');
}
if ($bSendXContentTypeOptionsHttpHeader === false) {
return;
}
$this->add_header('X-Content-Type-Options: nosniff'); $this->add_header('X-Content-Type-Options: nosniff');
} }

10
application/xmlpage.class.inc.php
View File

@@ -48,6 +48,16 @@ class XMLPage extends WebPage
$this->add_header("Content-location: export.xml"); $this->add_header("Content-location: export.xml");
} }
/**
* Disabling sending the header so that resource won't be blocked by CORB. See parent method documentation.
* @return void
* @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
*/
public function add_xcontent_type_options()
{
// Nothing to do !
}
public function output() public function output()
{ {
if (!$this->m_bPassThrough) if (!$this->m_bPassThrough)

8
core/config.class.inc.php
View File

@@ -1320,6 +1320,14 @@ class Config
'source_of_value' => '', 'source_of_value' => '',
'show_in_conf_sample' => false, 'show_in_conf_sample' => false,
], ],
'security.enable_header_xcontent_type_options' => [
'type' => 'bool',
'description' => 'If set to false, iTop will stop sending the X-Content-Type-Options HTTP header. This header could trigger CORB protection on certain resources (JSON, XML, HTML, text) therefore blocking them.',
'default' => true,
'value' => '',
'source_of_value' => '',
'show_in_conf_sample' => false,
],
'behind_reverse_proxy' => [ 'behind_reverse_proxy' => [
'type' => 'bool', 'type' => 'bool',
'description' => 'If true, then proxies custom header (X-Forwarded-*) are taken into account. Use only if the webserver is not publicly accessible (reachable only by the reverse proxy)', 'description' => 'If true, then proxies custom header (X-Forwarded-*) are taken into account. Use only if the webserver is not publicly accessible (reachable only by the reverse proxy)',