Make EnforceFrameOptions compatible with legacy and PSR-15 controllers

diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
index b45ba2bec4aee825ceb06cdd4505c9eeec213f2a..b8debaff1df5b53f1333993ef57c65ced5e27465 100644 (file)
--- a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
+++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
@@ -24,12 +24,20 @@ final class EnforceFrameOptions implements MiddlewareInterface
      */
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
+        // Also set the headers using the regular `\header()` call, because we might receive a
+        // LegacyPlaceholderResponse and we also need to protect requests to legacy controllers.
+        // If a proper PSR-7 response is returned the headers will be removed again and set on
+        // the response object.
+        \header('x-frame-options: SAMEORIGIN');
+
         $response = $handler->handle($request);
 
         if ($response instanceof LegacyPlaceholderResponse) {
             return $response;
         }
 
+        \header_remove('x-frame-options');
+
         return $response->withHeader('x-frame-options', 'SAMEORIGIN');
     }
 }

diff --git a/wcfsetup/install/files/lib/util/HeaderUtil.class.php b/wcfsetup/install/files/lib/util/HeaderUtil.class.php
index b809c6843e3821ad14e33dd425dc611ebccc3e3e..39d52afb18ed7c16f3888aa10d2fd6a8bb26055f 100644 (file)
--- a/wcfsetup/install/files/lib/util/HeaderUtil.class.php
+++ b/wcfsetup/install/files/lib/util/HeaderUtil.class.php
@@ -90,8 +90,6 @@ final class HeaderUtil
             self::sendNoCacheHeaders();
         }
 
-        @\header('X-Frame-Options: SAMEORIGIN');
-
         \ob_start([self::class, 'parseOutput']);
     }