1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-26 23:40:57 +01:00

Add X-Frame-Options for all response

Summary:
we use to only add X-Frame-Options for AphrontWebpageResponse.
There some security concern about it. Example of a drag-drop attack:
http://sites.google.com/site/tentacoloviola/. The fix is to add it to
all AphrontResponse.

Test Plan:
View page which disalble this option still works (like the
xhpast tree page); verify that the AphrontAjaxResponse contains the
X-Frame-Options in the header.

Reviewers: epriestley, benmathews

Reviewed By: epriestley

CC: nh, aran, jungejason, epriestley

Differential Revision: 926
This commit is contained in:
Jason Ge 2011-09-13 16:38:28 -07:00
parent 2f218ac745
commit 5284053c0e
5 changed files with 21 additions and 12 deletions

View file

@ -37,9 +37,11 @@ class AphrontAjaxResponse extends AphrontResponse {
}
public function getHeaders() {
return array(
$headers = array(
array('Content-Type', 'text/plain; charset=UTF-8'),
);
$headers = array_merge(parent::getHeaders(), $headers);
return $headers;
}
}

View file

@ -26,6 +26,8 @@ abstract class AphrontResponse {
private $responseCode = 200;
private $lastModified = null;
protected $frameable;
public function setRequest($request) {
$this->request = $request;
return $this;
@ -36,7 +38,12 @@ abstract class AphrontResponse {
}
public function getHeaders() {
return array();
$headers = array();
if (!$this->frameable) {
$headers[] = array('X-Frame-Options', 'Deny');
}
return $headers;
}
public function setCacheDurationInSeconds($duration) {
@ -58,6 +65,11 @@ abstract class AphrontResponse {
return $this->responseCode;
}
public function setFrameable($frameable) {
$this->frameable = $frameable;
return $this;
}
public function getCacheHeaders() {
$headers = array();
if ($this->cacheable) {

View file

@ -76,6 +76,7 @@ class AphrontFileResponse extends AphrontResponse {
);
}
$headers = array_merge(parent::getHeaders(), $headers);
return $headers;
}

View file

@ -33,9 +33,11 @@ class AphrontRedirectResponse extends AphrontResponse {
}
public function getHeaders() {
return array(
$headers = array(
array('Location', $this->uri),
);
$headers = array_merge(parent::getHeaders(), $headers);
return $headers;
}
public function buildResponseString() {

View file

@ -22,18 +22,12 @@
class AphrontWebpageResponse extends AphrontResponse {
private $content;
private $frameable;
public function setContent($content) {
$this->content = $content;
return $this;
}
public function setFrameable($frameable) {
$this->frameable = $frameable;
return $this;
}
public function buildResponseString() {
return $this->content;
}
@ -42,9 +36,7 @@ class AphrontWebpageResponse extends AphrontResponse {
$headers = array(
array('Content-Type', 'text/html; charset=UTF-8'),
);
if (!$this->frameable) {
$headers[] = array('X-Frame-Options', 'Deny');
}
$headers = array_merge(parent::getHeaders(), $headers);
return $headers;
}