Add `EnforceFrameOptions` middleware

author Tim Düsterhus <duesterhus@woltlab.com>

Thu, 19 May 2022 14:11:14 +0000 (16:11 +0200)

committer Tim Düsterhus <duesterhus@woltlab.com>

Fri, 20 May 2022 07:22:23 +0000 (09:22 +0200)
author Tim Düsterhus <duesterhus@woltlab.com>
Thu, 19 May 2022 14:11:14 +0000 (16:11 +0200)
committer Tim Düsterhus <duesterhus@woltlab.com>
Fri, 20 May 2022 07:22:23 +0000 (09:22 +0200)
diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php

new file mode 100644 (file)

index 0000000..b45ba2b
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\http\LegacyPlaceholderResponse;
+
+/**
+ * Adds 'x-frame-options: SAMEORIGIN' to the response.
+ *
+ * @author  Tim Duesterhus
+ * @copyright   2001-2022 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package WoltLabSuite\Core\Http\Middleware
+ * @since   5.6
+ */
+final class EnforceFrameOptions implements MiddlewareInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        if ($response instanceof LegacyPlaceholderResponse) {
+            return $response;
+        }
+
+        return $response->withHeader('x-frame-options', 'SAMEORIGIN');
+    }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php

index a479f397505e47da4faa0ff868da661ec04402ca..1d36882fd4a5f411dff8e194bc500206ca1e544b 100644 (file)
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -7,6 +7,7 @@ use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
  use Psr\Http\Message\ResponseInterface;
  use wcf\http\LegacyPlaceholderResponse;
  use wcf\http\middleware\EnforceCacheControlPrivate;
+use wcf\http\middleware\EnforceFrameOptions;
  use wcf\http\Pipeline;
  use wcf\system\application\ApplicationHandler;
  use wcf\system\box\BoxHandler;
@@ -106,6 +107,7 @@ class RequestHandler extends SingletonFactory
  
              $pipeline = new Pipeline([
                  new EnforceCacheControlPrivate(),
+                new EnforceFrameOptions(),
              ]);
  
              $this->sendPsr7Response(
@@ -127,8 +129,6 @@ class RequestHandler extends SingletonFactory
              return;
          }
  
-        $response->withHeader('x-frame-options', 'SAMEORIGIN');
-
          $emitter = new SapiEmitter();
          $emitter->emit($response);
      }
author	Tim Düsterhus <duesterhus@woltlab.com>
	Thu, 19 May 2022 14:11:14 +0000 (16:11 +0200)
committer	Tim Düsterhus <duesterhus@woltlab.com>
	Fri, 20 May 2022 07:22:23 +0000 (09:22 +0200)
wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php	[new file with mode: 0644]	patch \| blob
wcfsetup/install/files/lib/system/request/RequestHandler.class.php		patch \| blob \| blame \| history