N°3416 XFrame and cache headers optimizations

* Remove XFrame header set in \WebPage::no_cache : not this method responsability, was confusing :/
* Remove no_cache() calls when already set in page constructor (ajax_page mainly)
* Also calls everywhere the \WebPage::no_cache method instead of setting headers manually

application/ajaxwebpage.class.inc.php

@@ -41,9 +41,7 @@ class ajax_page extends WebPage implements iTabbedPage
 		parent::__construct($s_title, $bPrintable);
 		$this->m_sReadyScript = "";
 		//$this->add_header("Content-type: text/html; charset=utf-8");
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-		$this->add_header('Pragma: no-cache');
-		$this->add_header('Expires: 0');
+		$this->no_cache();
 		$this->add_xframe_options();
 		$this->m_oTabs = new TabManager();
 		$this->sContentType = 'text/html';

application/csvpage.class.inc.php

@@ -32,9 +32,7 @@ class CSVPage extends WebPage
 	function __construct($s_title) {
 		parent::__construct($s_title);
 		$this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET);
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-		$this->add_header('Pragma: no-cache');
-		$this->add_header('Expires: 0');
+		$this->no_cache();
 		$this->add_xframe_options();
 		//$this->add_header("Content-Transfer-Encoding: binary");
 	}

application/itopwebpage.class.inc.php

@@ -60,8 +60,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 			// Create a breadcrumb entry for the current page, but get its title as late as possible (page title could be changed later)
 			$this->bBreadCrumbEnabled = true;
 		}
-		else
-		{
+		else {
 			$this->bBreadCrumbEnabled = false;
 		}
 
@@ -71,9 +70,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage
 		$this->m_aMessages = array();
 		$this->SetRootUrl(utils::GetAbsoluteUrlAppRoot());
 		$this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET);
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-		$this->add_header('Pragma: no-cache');
-		$this->add_header('Expires: 0');
+		$this->no_cache();
 		$this->add_xframe_options();
 		$this->add_linked_stylesheet("../css/jquery.treeview.css");
 		$this->add_linked_stylesheet("../css/jquery.autocomplete.css");

application/loginwebpage.class.inc.php

@@ -84,9 +84,7 @@ class LoginWebPage extends NiceWebPage
 
 		parent::__construct($sTitle);
 		$this->SetStyleSheet();
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-		$this->add_header('Pragma: no-cache');
-		$this->add_header('Expires: 0');
+		$this->no_cache();
 		$this->add_xframe_options();
 	}
 	

application/webpage.class.inc.php

@@ -507,7 +507,6 @@ class WebPage implements Page
 		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
 		$this->add_header('Pragma: no-cache');
 		$this->add_header('Expires: 0');
-		$this->add_xframe_options(); //FIXME shouldn't be done here !!!!!
 	}
 
 	/**

application/xmlpage.class.inc.php

@@ -43,9 +43,7 @@ class XMLPage extends WebPage
 		$this->m_bPassThrough = $bPassThrough;
 		$this->m_bHeaderSent = false;
 		$this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET);
-		$this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-		$this->add_header('Pragma: no-cache');
-		$this->add_header('Expires: 0');
+		$this->no_cache();
 		$this->add_xframe_options();
 		$this->add_header("Content-location: export.xml");
 	}

core/spreadsheetbulkexport.class.inc.php

@@ -199,8 +199,8 @@ EOF
 		// Integration within MS-Excel web queries + HTTPS + IIS:
 		// MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS
 		// Then the fix is to force the reset of header values Pragma and Cache-control
-		$oPage->add_header("Pragma:", true);
-		$oPage->add_header("Cache-control:", true);
+		$oPage->add_header("Pragma:");
+		$oPage->add_header("Cache-control:");
 	}
 
 	public function GetHeader()

datamodels/2.x/combodo-db-tools/dbtools.php

@@ -212,9 +212,9 @@ function DisplayInconsistenciesReport($aResults)
 	header('Content-Description: File Transfer');
 	header('Content-Type: multipart/x-zip');
 	header('Content-Disposition: inline; filename="'.basename($sZipReport).'"');
-	header('Expires: 0');
 	header('Cache-Control: must-revalidate');
 	header('Pragma: public');
+	header('Expires: 0');
 	header('Content-Length: '.filesize($sZipReport));
 	readfile($sZipReport);
 	unlink($sZipReport);

datamodels/2.x/itop-attachments/ajax.itop-attachment.php

@@ -61,7 +61,6 @@ try
 	LoginWebPage::DoLoginEx(null /* any portal */, false);
 
 	$oPage = new ajax_page("");
-	$oPage->no_cache();
 
 	$sOperation = utils::ReadParam('operation', '');
 

datamodels/2.x/itop-backup/ajax.backup.php

@@ -51,7 +51,6 @@ function DisplayErrorAndDie($oPage, $sHtmlErrorMessage, $exitCode = null)
 $sOperation = utils::ReadParam('operation', '');
 
 $oPage = new ajax_page('');
-$oPage->no_cache();
 $oPage->SetContentType('text/html');
 
 

datamodels/2.x/itop-hub-connector/ajax.php

@@ -111,7 +111,6 @@ function DoBackup($sTargetFile)
 function ReportStatus($sMessage, $bSuccess, $iErrorCode = 0, $aMoreFields = array())
 {
 	$oPage = new ajax_page("");
-	$oPage->no_cache();
 	$oPage->SetContentType('application/json');
 	$aResult = array(
 		'code' => $iErrorCode,

datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php

@@ -6,9 +6,7 @@ class HubConnectorPage extends NiceWebPage
     {
 	    parent::__construct($sTitle);
 
-	    $this->add_header('Cache-control: no-cache, no-store, must-revalidate');
-	    $this->add_header('Pragma: no-cache');
-	    $this->add_header('Expires: 0');
+	    $this->no_cache();
 	    $this->add_xframe_options();
 
 	    $sImagesDir = utils::GetAbsoluteUrlAppRoot().'images';

pages/ajax.csvimport.php

@@ -242,7 +242,6 @@ try
 	{
 		case 'parser_preview':
 		$oPage = new ajax_page("");
-		$oPage->no_cache();
 		$oPage->SetContentType('text/html');
 		$sSeparator = utils::ReadParam('separator', ',', false, 'raw_data');
 		if ($sSeparator == 'tab') $sSeparator = "\t";

pages/ajax.document.php

@@ -38,7 +38,6 @@ try
 	require_once(APPROOT.'/application/loginwebpage.class.inc.php');
 
 	$oPage = new ajax_page("");
-	$oPage->no_cache();
 
 	$operation = utils::ReadParam('operation', '');
 	$sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class');

pages/ajax.render.php

@@ -68,8 +68,6 @@ try
 	LoginWebPage::DoLoginEx($sRequestedPortalId, false);
 
 	$oPage = new ajax_page("");
-	$oPage->no_cache();
-
 
 	$sFilter = utils::ReadParam('filter', '', false, 'raw_data');
 	$sEncoding = utils::ReadParam('encoding', 'serialize');
@@ -889,13 +887,12 @@ try
 		case 'chart':
 			// Workaround for IE8 + IIS + HTTPS
 			// See TRAC #363, fix described here: http://forums.codecharge.com/posts.php?post_id=97771
-			$oPage->add_header("Expires: Fri, 17 Jul 1970 05:00:00 GMT");
 			$oPage->add_header("Cache-Control: cache, must-revalidate");
 			$oPage->add_header("Pragma: public");
+			$oPage->add_header("Expires: Fri, 17 Jul 1970 05:00:00 GMT");
 
 			$aParams = utils::ReadParam('params', array(), false, 'raw_data');
-			if ($sFilter != '')
-			{
+			if ($sFilter != '') {
 				$oFilter = DBSearch::unserialize($sFilter);
 				$oKPI = new ExecutionKPI();
 				$oDisplayBlock = new DisplayBlock($oFilter, 'chart_ajax', false);

pages/ajax.searchform.php

@@ -49,7 +49,6 @@ try
 	}
 
 	$oPage = new ajax_page("");
-	$oPage->no_cache();
 	$oPage->SetContentType('text/html');
 
 	$sListParams = utils::ReadParam('list_params', '{}', false, 'raw_data');

setup/email.test.php

@@ -255,11 +255,12 @@ try
 		break;
 		
 		case 'step2':
-		$oP->no_cache();
-		$sTo = Utils::ReadParam('to', '', false, 'raw_data');
-		$sFrom = Utils::ReadParam('from', '', false, 'raw_data');
-		DisplayStep2($oP, $sFrom, $sTo);
-		break;
+			$oP->no_cache();
+			$oP->add_xframe_options('DENY');
+			$sTo = Utils::ReadParam('to', '', false, 'raw_data');
+			$sFrom = Utils::ReadParam('from', '', false, 'raw_data');
+			DisplayStep2($oP, $sFrom, $sTo);
+			break;
 
 		default:
 		$oP->error("Error: unsupported operation '$sOperation'");

sources/application/TwigBase/Controller/Controller.php

@@ -435,18 +435,16 @@ abstract class Controller
 		$sFileMimeType = utils::GetFileMimeType($sFilePath);
 		header('Content-Type: '.$sFileMimeType);
 
-		if ($bFileTransfer)
-		{
+		if ($bFileTransfer) {
 			header('Content-Description: File Transfer');
 			header('Content-Disposition: inline; filename="'.$sDownloadArchiveName);
 		}
 
-		header('Expires: 0');
 		header('Cache-Control: must-revalidate');
 		header('Pragma: public');
+		header('Expires: 0');
 
-		foreach ($aHeaders as $sKey => $sValue)
-		{
+		foreach ($aHeaders as $sKey => $sValue) {
 			header($sKey.': '.$sValue);
 		}
 

test/benchmark.php

@@ -782,14 +782,15 @@ try
 
 		case 'create_structure':
 		$oP->no_cache();
-		$iPlannedContacts = Utils::ReadParam('plannedcontacts');
-		$iPlannedContracts = Utils::ReadParam('plannedcontracts');
+			$oP->add_xframe_options('DENY');
+			$iPlannedContacts = Utils::ReadParam('plannedcontacts');
+			$iPlannedContracts = Utils::ReadParam('plannedcontracts');
 
-		$oDataCreation = new BenchmarkDataCreation();
-		$oDataCreation->PlanStructure($iPlannedContacts, $iPlannedContracts);
-		$oDataCreation->ShowPlans($oP);
-		$oDataCreation->ShowForm($oP, 'create_structure_go');
-		break;
+			$oDataCreation = new BenchmarkDataCreation();
+			$oDataCreation->PlanStructure($iPlannedContacts, $iPlannedContracts);
+			$oDataCreation->ShowPlans($oP);
+			$oDataCreation->ShowForm($oP, 'create_structure_go');
+			break;
 
 		case 'create_structure_go':
 		$oP->no_cache();

webservices/export.php

@@ -190,24 +190,23 @@ if (!empty($sExpression))
 			{
 				case 'html':
 				$oP = new NiceWebPage("iTop - Export");
-				$oP->add_style('body { overflow: auto; }'); // Show scroll bars if needed
-				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
-				$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
-				
-				// Integration within MS-Excel web queries + HTTPS + IIS:
-				// MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS
-				// Then the fix is to force the reset of header values Pragma and Cache-control 
-				header("Pragma:", true);
-				header("Cache-control:", true);
+					$oP->add_style('body { overflow: auto; }'); // Show scroll bars if needed
+					$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css');
+					$oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css');
 
-				// The HTML output is made for pages located in the /pages/ folder
-				// since this page is in a different folder, let's adjust the HTML 'base' attribute
-				// to make the relative hyperlinks in the page work
-				$sUrl = utils::GetAbsoluteUrlAppRoot();
-				$oP->set_base($sUrl.'pages/');
+					// Integration within MS-Excel web queries + HTTPS + IIS:
+					// MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS
+					// Then the fix is to force the reset of header values Pragma and Cache-control
+					header("Cache-control:", true);
+					header("Pragma:", true);
 
-				if(count($aFields) > 0)
-				{
+					// The HTML output is made for pages located in the /pages/ folder
+					// since this page is in a different folder, let's adjust the HTML 'base' attribute
+					// to make the relative hyperlinks in the page work
+					$sUrl = utils::GetAbsoluteUrlAppRoot();
+					$oP->set_base($sUrl.'pages/');
+
+					if (count($aFields) > 0) {
 					$iSearch = array_search('id', $aFields);
 					if ($iSearch !== false)
 					{