Add X-Frame-Options for all response

Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926
2024-11-30 02:32:42 +01:00 · 2011-09-13 16:38:28 -07:00 · 2011-09-13 16:38:28 -07:00 · 5284053c0e
commit 5284053c0e
parent 2f218ac745
5 changed files with 21 additions and 12 deletions
--- a/src/aphront/response/ajax/AphrontAjaxResponse.php
+++ b/src/aphront/response/ajax/AphrontAjaxResponse.php
@ -37,9 +37,11 @@ class AphrontAjaxResponse extends AphrontResponse {
  }
  public function getHeaders() {
-    return array(
+    $headers = array(
      array('Content-Type', 'text/plain; charset=UTF-8'),
    );
    $headers = array_merge(parent::getHeaders(), $headers);
    return $headers;
  }
 }
--- a/src/aphront/response/base/AphrontResponse.php
+++ b/src/aphront/response/base/AphrontResponse.php
@ -26,6 +26,8 @@ abstract class AphrontResponse {
  private $responseCode = 200;
  private $lastModified = null;
  protected $frameable;
  public function setRequest($request) {
    $this->request = $request;
    return $this;
@ -36,7 +38,12 @@ abstract class AphrontResponse {
  }
  public function getHeaders() {
-    return array();
+    $headers = array();
    if (!$this->frameable) {
      $headers[] = array('X-Frame-Options', 'Deny');
    }
    return $headers;
  }
  public function setCacheDurationInSeconds($duration) {
@ -58,6 +65,11 @@ abstract class AphrontResponse {
    return $this->responseCode;
  }
  public function setFrameable($frameable) {
    $this->frameable = $frameable;
    return $this;
  }
  public function getCacheHeaders() {
    $headers = array();
    if ($this->cacheable) {
--- a/src/aphront/response/file/AphrontFileResponse.php
+++ b/src/aphront/response/file/AphrontFileResponse.php
@ -76,6 +76,7 @@ class AphrontFileResponse extends AphrontResponse {
      );
    }
    $headers = array_merge(parent::getHeaders(), $headers);
    return $headers;
  }
--- a/src/aphront/response/redirect/AphrontRedirectResponse.php
+++ b/src/aphront/response/redirect/AphrontRedirectResponse.php
@ -33,9 +33,11 @@ class AphrontRedirectResponse extends AphrontResponse {
  }
  public function getHeaders() {
-    return array(
+    $headers = array(
      array('Location', $this->uri),
    );
    $headers = array_merge(parent::getHeaders(), $headers);
    return $headers;
  }
  public function buildResponseString() {
--- a/src/aphront/response/webpage/AphrontWebpageResponse.php
+++ b/src/aphront/response/webpage/AphrontWebpageResponse.php
@ -22,18 +22,12 @@
 class AphrontWebpageResponse extends AphrontResponse {
  private $content;
  private $frameable;
  public function setContent($content) {
    $this->content = $content;
    return $this;
  }
  public function setFrameable($frameable) {
    $this->frameable = $frameable;
    return $this;
  }
  public function buildResponseString() {
    return $this->content;
  }
@ -42,9 +36,7 @@ class AphrontWebpageResponse extends AphrontResponse {
    $headers = array(
      array('Content-Type', 'text/html; charset=UTF-8'),
    );
-    if (!$this->frameable) {
+    $headers = array_merge(parent::getHeaders(), $headers);
      $headers[] = array('X-Frame-Options', 'Deny');
    }
    return $headers;
  }