mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 00:42:41 +01:00
Add X-Frame-Options for all response
Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926
This commit is contained in:
Jason Ge
parent
2f218ac745
commit
5284053c0e
5 changed files with 21 additions and 12 deletions
|
|
@ -37,9 +37,11 @@ class AphrontAjaxResponse extends AphrontResponse {
|
|||
}
|
||||
|
||||
public function getHeaders() {
|
||||
return array(
|
||||
$headers = array(
|
||||
array('Content-Type', 'text/plain; charset=UTF-8'),
|
||||
);
|
||||
$headers = array_merge(parent::getHeaders(), $headers);
|
||||
return $headers;
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
|
|
@ -26,6 +26,8 @@ abstract class AphrontResponse {
|
|||
private $responseCode = 200;
|
||||
private $lastModified = null;
|
||||
|
||||
protected $frameable;
|
||||
|
||||
public function setRequest($request) {
|
||||
$this->request = $request;
|
||||
return $this;
|
||||
|
|
@ -36,7 +38,12 @@ abstract class AphrontResponse {
|
|||
}
|
||||
|
||||
public function getHeaders() {
|
||||
return array();
|
||||
$headers = array();
|
||||
if (!$this->frameable) {
|
||||
$headers[] = array('X-Frame-Options', 'Deny');
|
||||
}
|
||||
|
||||
return $headers;
|
||||
}
|
||||
|
||||
public function setCacheDurationInSeconds($duration) {
|
||||
|
|
@ -58,6 +65,11 @@ abstract class AphrontResponse {
|
|||
return $this->responseCode;
|
||||
}
|
||||
|
||||
public function setFrameable($frameable) {
|
||||
$this->frameable = $frameable;
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function getCacheHeaders() {
|
||||
$headers = array();
|
||||
if ($this->cacheable) {
|
||||
|
|
|
|||
|
|
@ -76,6 +76,7 @@ class AphrontFileResponse extends AphrontResponse {
|
|||
);
|
||||
}
|
||||
|
||||
$headers = array_merge(parent::getHeaders(), $headers);
|
||||
return $headers;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -33,9 +33,11 @@ class AphrontRedirectResponse extends AphrontResponse {
|
|||
}
|
||||
|
||||
public function getHeaders() {
|
||||
return array(
|
||||
$headers = array(
|
||||
array('Location', $this->uri),
|
||||
);
|
||||
$headers = array_merge(parent::getHeaders(), $headers);
|
||||
return $headers;
|
||||
}
|
||||
|
||||
public function buildResponseString() {
|
||||
|
|
|
|||
|
|
@ -22,18 +22,12 @@
|
|||
class AphrontWebpageResponse extends AphrontResponse {
|
||||
|
||||
private $content;
|
||||
private $frameable;
|
||||
|
||||
public function setContent($content) {
|
||||
$this->content = $content;
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function setFrameable($frameable) {
|
||||
$this->frameable = $frameable;
|
||||
return $this;
|
||||
}
|
||||
|
||||
public function buildResponseString() {
|
||||
return $this->content;
|
||||
}
|
||||
|
|
@ -42,9 +36,7 @@ class AphrontWebpageResponse extends AphrontResponse {
|
|||
$headers = array(
|
||||
array('Content-Type', 'text/html; charset=UTF-8'),
|
||||
);
|
||||
if (!$this->frameable) {
|
||||
$headers[] = array('X-Frame-Options', 'Deny');
|
||||
}
|
||||
$headers = array_merge(parent::getHeaders(), $headers);
|
||||
return $headers;
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue