Merge remote-tracking branch 'origin/support/3.1' into develop

application/loginwebpage.class.inc.php

@@ -90,7 +90,7 @@ class LoginWebPage extends NiceWebPage
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 	}
 	
 	public function SetStyleSheet()

datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php

@@ -8,7 +8,7 @@ class HubConnectorPage extends NiceWebPage
 		parent::__construct($sTitle);
 
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 
 		$sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';
 		$sModuleImagesDir = utils::GetAbsoluteUrlModulesRoot().'itop-hub-connector/images';

pages/ajax.document.php

@@ -62,7 +62,7 @@ try
 					$oPage->set_cache($iCacheSec);
 					// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 					// so we're resetting its value ! (see N°3416)
-					$oPage->add_xframe_options('');
+					$oPage->add_http_headers('');
 				}
 			}
 			break;
@@ -81,7 +81,7 @@ try
 
 				// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 				// so we're resetting its value ! (see N°3416)
-				$oPage->add_xframe_options('');
+				$oPage->add_http_headers('');
 
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
@@ -94,7 +94,7 @@ try
 
 			// X-Frame http header : set in page constructor, but we need to allow frame integration for this specific page
 			// so we're resetting its value ! (see N°3416)
-			$oPage->add_xframe_options('');
+			$oPage->add_http_headers('');
 
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;

setup/email.test.php

@@ -38,7 +38,7 @@ $oP = new SetupPage('iTop email test utility');
 
 // Although this page doesn't expose sensitive info, with it we can send multiple emails
 // So we're adding this http header to reduce CSRF exposure...
-$oP->add_xframe_options('DENY');
+$oP->add_http_headers('DENY');
 
 
 /**

sources/Application/TwigBase/Controller/Controller.php

@@ -687,7 +687,7 @@ abstract class Controller extends AbstractController
 		{
 			case self::ENUM_PAGE_TYPE_HTML:
 				$this->m_oPage = new iTopWebPage($this->GetOperationTitle(), false);
-				$this->m_oPage->add_xframe_options();
+				$this->m_oPage->add_http_headers();
 
 				if ($this->m_bIsBreadCrumbEnabled) {
 					if (count($this->m_aBreadCrumbEntry) > 0) {

sources/Application/WebPage/AjaxPage.php

@@ -46,7 +46,7 @@ class AjaxPage extends WebPage implements iTabbedPage
 		parent::__construct($s_title, $bPrintable);
 		//$this->add_header("Content-type: text/html; charset=utf-8");
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->m_oTabs = new TabManager();
 		$this->sContentType = 'text/html';
 		$this->sContentDisposition = 'inline';

sources/Application/WebPage/CSVPage.php

@@ -34,7 +34,7 @@ class CSVPage extends WebPage
 	    parent::__construct($s_title);
 	    $this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
 	    $this->no_cache();
-	    $this->add_xframe_options();
+	    $this->add_http_headers();
 	    //$this->add_header("Content-Transfer-Encoding: binary");
 	    $oKpi->ComputeStats(get_class($this).' creation', 'CSVPage');
     }	

sources/Application/WebPage/WebPage.php

@@ -1002,12 +1002,25 @@ JS;
 		$this->a_headers[] = $s_header;
 	}
 
+	/**
+	 * @param string|null $sXFrameOptionsHeaderValue passed to {@see add_xframe_options}
+	 *
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation, replace {@see add_xframe_options} consumers call
+	 */
+	public function add_http_headers($sXFrameOptionsHeaderValue = null)
+	{
+		$this->add_xframe_options($sXFrameOptionsHeaderValue);
+		$this->add_xcontent_type_options();
+	}
+
 	/**
 	 * @param string|null $sHeaderValue for example `SAMESITE`. If null will set the header using the config parameter value.
 	 *
 	 * @since 2.7.3 3.0.0 N°3416
 	 * @uses security_header_xframe config parameter
 	 * @uses \utils::GetConfig()
+	 *
 	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
 	 */
 	public function add_xframe_options($sHeaderValue = null)
@@ -1019,6 +1032,17 @@ JS;
 		$this->add_header('X-Frame-Options: '.$sHeaderValue);
 	}
 
+	/**
+	 * @return void
+	 * @since 2.7.10 3.0.4 3.1.2 3.2.0 N°4368 method creation
+	 *
+	 * @link https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options
+	 */
+	public function add_xcontent_type_options()
+	{
+		$this->add_header('X-Content-Type-Options: nosniff');
+	}
+
 	/**
 	 * Add needed headers to the page so that it will no be cached
 	 */

sources/Application/WebPage/XMLPage.php

@@ -44,7 +44,7 @@ class XMLPage extends WebPage
 		$this->m_bHeaderSent = false;
 		$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->add_header("Content-location: export.xml");
 		$oKpi->ComputeStats(get_class($this).' creation', 'XMLPage');
 	}	

sources/Application/WebPage/iTopWebPage.php

@@ -137,7 +137,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
 		$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
 		$this->no_cache();
-		$this->add_xframe_options();
+		$this->add_http_headers();
 		$this->PrepareLayout();
 		if ($this->IsPrintableVersion()) {
 			$oPrintHeader = $this->OutputPrintable();

tests/php-unit-tests/legacy-tests/benchmark.php

@@ -781,7 +781,7 @@ try
 
 		case 'create_structure':
 			$oP->no_cache();
-			$oP->add_xframe_options('DENY');
+			$oP->add_http_headers('DENY');
 			$iPlannedContacts = Utils::ReadParam('plannedcontacts');
 			$iPlannedContracts = Utils::ReadParam('plannedcontracts');
 

webservices/export-v2.php

@@ -38,7 +38,7 @@ function ReportErrorAndExit($sErrorMessage)
 	else
 	{
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.utils::HtmlEntities($sErrorMessage));
 		$oP->output();
 		exit(EXIT_CODE_ERROR);
@@ -57,7 +57,7 @@ function ReportErrorAndUsage($sErrorMessage)
 	}
 	else {
 		$oP = new WebPage("iTop - Export");
-		$oP->add_xframe_options();
+		$oP->add_http_headers();
 		$oP->p('ERROR: '.$sErrorMessage);
 		Usage($oP);
 		$oP->output();
@@ -698,13 +698,13 @@ try
 			// Note: Using NiceWebPage only for HTML export as it includes JS scripts & files, which makes no sense in other export formats. More over, it breaks Excel spreadsheet import.
 			if ($oExporter instanceof HTMLBulkExport) {
 				$oP = new NiceWebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_ready_script("$('table.listResults').tablesorter({widgets: ['MyZebra']});");
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
 				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
 			} else {
 				$oP = new WebPage('iTop export');
-				$oP->add_xframe_options();
+				$oP->add_http_headers();
 				$oP->add_style("table br { mso-data-placement:same-cell; }"); // Trick for Excel: keep line breaks inside the same cell !
 			}
 			$oP->add_style("body { overflow: auto; }");
@@ -724,7 +724,7 @@ catch (BulkExportMissingParameterException $e) {
 }
 catch (Exception $e) {
 	$oP = new WebPage('iTop Export');
-	$oP->add_xframe_options();
+	$oP->add_http_headers();
 	$oP->add('Error: '.utils::HtmlEntities($e->getMessage()));
 	IssueLog::Error(utils::HtmlEntities($e->getMessage())."\n".$e->getTraceAsString());
 	$oP->output();