Add X-Frame-Options for all response

Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926
2024-11-26 16:52:41 +01:00 · 2011-09-13 16:38:28 -07:00 · 2011-09-13 16:38:28 -07:00 · 5284053c0e
commit 5284053c0e
parent 2f218ac745
5 changed files with 21 additions and 12 deletions
--- a/src/aphront/response/ajax/AphrontAjaxResponse.php
+++ b/src/aphront/response/ajax/AphrontAjaxResponse.php
@ -37,9 +37,11 @@ class AphrontAjaxResponse extends AphrontResponse {
  }

  public function getHeaders() {
-    return array(
+    $headers = array(
      array('Content-Type', 'text/plain; charset=UTF-8'),
    );
+    $headers = array_merge(parent::getHeaders(), $headers);
+    return $headers;
  }

 }
--- a/src/aphront/response/base/AphrontResponse.php
+++ b/src/aphront/response/base/AphrontResponse.php
@ -26,6 +26,8 @@ abstract class AphrontResponse {
  private $responseCode = 200;
  private $lastModified = null;

+  protected $frameable;
+
  public function setRequest($request) {
    $this->request = $request;
    return $this;
@ -36,7 +38,12 @@ abstract class AphrontResponse {
  }

  public function getHeaders() {
-    return array();
+    $headers = array();
+    if (!$this->frameable) {
+      $headers[] = array('X-Frame-Options', 'Deny');
+    }
+
+    return $headers;
  }

  public function setCacheDurationInSeconds($duration) {
@ -58,6 +65,11 @@ abstract class AphrontResponse {
    return $this->responseCode;
  }

+  public function setFrameable($frameable) {
+    $this->frameable = $frameable;
+    return $this;
+  }
+
  public function getCacheHeaders() {
    $headers = array();
    if ($this->cacheable) {
--- a/src/aphront/response/file/AphrontFileResponse.php
+++ b/src/aphront/response/file/AphrontFileResponse.php
@ -76,6 +76,7 @@ class AphrontFileResponse extends AphrontResponse {
      );
    }

+    $headers = array_merge(parent::getHeaders(), $headers);
    return $headers;
  }

--- a/src/aphront/response/redirect/AphrontRedirectResponse.php
+++ b/src/aphront/response/redirect/AphrontRedirectResponse.php
@ -33,9 +33,11 @@ class AphrontRedirectResponse extends AphrontResponse {
  }

  public function getHeaders() {
-    return array(
+    $headers = array(
      array('Location', $this->uri),
    );
+    $headers = array_merge(parent::getHeaders(), $headers);
+    return $headers;
  }

  public function buildResponseString() {
--- a/src/aphront/response/webpage/AphrontWebpageResponse.php
+++ b/src/aphront/response/webpage/AphrontWebpageResponse.php
@ -22,18 +22,12 @@
 class AphrontWebpageResponse extends AphrontResponse {

  private $content;
-  private $frameable;

  public function setContent($content) {
    $this->content = $content;
    return $this;
  }

-  public function setFrameable($frameable) {
-    $this->frameable = $frameable;
-    return $this;
-  }
-
  public function buildResponseString() {
    return $this->content;
  }
@ -42,9 +36,7 @@ class AphrontWebpageResponse extends AphrontResponse {
    $headers = array(
      array('Content-Type', 'text/html; charset=UTF-8'),
    );
-    if (!$this->frameable) {
-      $headers[] = array('X-Frame-Options', 'Deny');
-    }
+    $headers = array_merge(parent::getHeaders(), $headers);
    return $headers;
  }