From: Tim Düsterhus <duesterhus@woltlab.com>
Date: Thu, 19 May 2022 14:11:14 +0000 (+0200)
Subject: Add `EnforceFrameOptions` middleware
X-Git-Tag: 6.0.0_Alpha_1~1266^2~6
X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=01c0358ed08a9d707221b0f5795e2d58b712642c;p=GitHub%2FWoltLab%2FWCF.git

Add `EnforceFrameOptions` middleware
---

diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
new file mode 100644
index 0000000000..b45ba2bec4
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\http\LegacyPlaceholderResponse;
+
+/**
+ * Adds 'x-frame-options: SAMEORIGIN' to the response.
+ *
+ * @author  Tim Duesterhus
+ * @copyright   2001-2022 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package WoltLabSuite\Core\Http\Middleware
+ * @since   5.6
+ */
+final class EnforceFrameOptions implements MiddlewareInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        if ($response instanceof LegacyPlaceholderResponse) {
+            return $response;
+        }
+
+        return $response->withHeader('x-frame-options', 'SAMEORIGIN');
+    }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index a479f39750..1d36882fd4 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -7,6 +7,7 @@ use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\ResponseInterface;
 use wcf\http\LegacyPlaceholderResponse;
 use wcf\http\middleware\EnforceCacheControlPrivate;
+use wcf\http\middleware\EnforceFrameOptions;
 use wcf\http\Pipeline;
 use wcf\system\application\ApplicationHandler;
 use wcf\system\box\BoxHandler;
@@ -106,6 +107,7 @@ class RequestHandler extends SingletonFactory
 
             $pipeline = new Pipeline([
                 new EnforceCacheControlPrivate(),
+                new EnforceFrameOptions(),
             ]);
 
             $this->sendPsr7Response(
@@ -127,8 +129,6 @@ class RequestHandler extends SingletonFactory
             return;
         }
 
-        $response->withHeader('x-frame-options', 'SAMEORIGIN');
-
         $emitter = new SapiEmitter();
         $emitter->emit($response);
     }