From: Tim Düsterhus Date: Wed, 11 May 2022 10:24:13 +0000 (+0200) Subject: Always send `x-frame-options` X-Git-Tag: 6.0.0_Alpha_1~1313^2 X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=810bfc544c4151d5e6903c6c8a5f19060af762a2;p=GitHub%2FWoltLab%2FWCF.git Always send `x-frame-options` Resolves #4484 --- diff --git a/com.woltlab.wcf/option.xml b/com.woltlab.wcf/option.xml index 2b849b4a5c..bc10016eda 100644 --- a/com.woltlab.wcf/option.xml +++ b/com.woltlab.wcf/option.xml @@ -581,13 +581,6 @@ private:wcf.acp.option.exception_privacy.private ^[a-zA-Z0-9_]+$ - - - + + diff --git a/constants.php b/constants.php index 6144dfe294..8948fe5a7f 100644 --- a/constants.php +++ b/constants.php @@ -56,7 +56,6 @@ \define('SEARCH_ENGINE', 'mysql'); \define('EXCEPTION_PRIVACY', 'public'); \define('COOKIE_PREFIX', 'wcf21_'); -\define('HTTP_SEND_X_FRAME_OPTIONS', 1); \define('PACKAGE_SERVER_AUTH_CODE', ''); \define('PROXY_SERVER_HTTP', ''); \define('IP_ADDRESS_SEARCH_ENGINE', ''); diff --git a/wcfsetup/install/files/acp/templates/index.tpl b/wcfsetup/install/files/acp/templates/index.tpl index 50c86ec303..0fd6901ca6 100644 --- a/wcfsetup/install/files/acp/templates/index.tpl +++ b/wcfsetup/install/files/acp/templates/index.tpl @@ -25,10 +25,6 @@

{lang}wcf.acp.index.tmpBroken{/lang}

{/if} -{if !HTTP_SEND_X_FRAME_OPTIONS} -

{lang}wcf.acp.index.allowsFrameEmbedding{/lang}

-{/if} - {if $recaptchaWithoutKey}

{lang}wcf.acp.index.recaptchaWithoutKey{/lang}

{/if} diff --git a/wcfsetup/install/files/lib/acp/page/IndexPage.class.php b/wcfsetup/install/files/lib/acp/page/IndexPage.class.php index c0eed71c51..a8dc7a918a 100755 --- a/wcfsetup/install/files/lib/acp/page/IndexPage.class.php +++ b/wcfsetup/install/files/lib/acp/page/IndexPage.class.php @@ -109,15 +109,6 @@ class IndexPage extends AbstractPage ); } - $xFrameOptionsLink = LinkHandler::getInstance()->getLink( - 'Option', - [ - 'id' => $optionCategories['general']->categoryID, - 'optionName' => 'http_send_x_frame_options', - ], - '#category_general.system' - ); - $evaluationExpired = $evaluationPending = []; foreach (ApplicationHandler::getInstance()->getApplications() as $application) { if ($application->isTainted) { @@ -189,7 +180,6 @@ class IndexPage extends AbstractPage WCF::getTPL()->assign([ 'recaptchaWithoutKey' => $recaptchaWithoutKey, 'recaptchaKeyLink' => $recaptchaKeyLink, - 'xFrameOptionsLink' => $xFrameOptionsLink, 'server' => $this->server, 'usersAwaitingApproval' => $usersAwaitingApproval, 'evaluationExpired' => $evaluationExpired, diff --git a/wcfsetup/install/files/lib/system/WCF.class.php b/wcfsetup/install/files/lib/system/WCF.class.php index f8da53a2df..4faa927fc8 100644 --- a/wcfsetup/install/files/lib/system/WCF.class.php +++ b/wcfsetup/install/files/lib/system/WCF.class.php @@ -495,6 +495,9 @@ class WCF // The captcha option related to the removed SearchForm was removed in 5.5. \define('SEARCH_USE_CAPTCHA', 0); + + // Disabling X-Frame-Options is no longer possible since 5.6. + \define('HTTP_SEND_X_FRAME_OPTIONS', 1); } /** diff --git a/wcfsetup/install/files/lib/system/WCFSetup.class.php b/wcfsetup/install/files/lib/system/WCFSetup.class.php index 607e4315cf..43062ad071 100644 --- a/wcfsetup/install/files/lib/system/WCFSetup.class.php +++ b/wcfsetup/install/files/lib/system/WCFSetup.class.php @@ -36,7 +36,6 @@ use wcf\util\XML; // define \define('PACKAGE_ID', 0); -\define('HTTP_SEND_X_FRAME_OPTIONS', 1); \define('CACHE_SOURCE_TYPE', 'disk'); \define('ENABLE_DEBUG_MODE', 1); \define('ENABLE_BENCHMARK', 0); diff --git a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php index b71e9fdf80..620e5b8f09 100644 --- a/wcfsetup/install/files/lib/system/session/SessionHandler.class.php +++ b/wcfsetup/install/files/lib/system/session/SessionHandler.class.php @@ -502,10 +502,6 @@ final class SessionHandler extends SingletonFactory $sameSite = '; SameSite=lax'; } - if (!HTTP_SEND_X_FRAME_OPTIONS) { - $sameSite = '; SameSite=none'; - } - \header( 'set-cookie: XSRF-TOKEN=' . \rawurlencode($xsrfToken) . '; path=/' . $cookieDomain . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite, false diff --git a/wcfsetup/install/files/lib/util/HeaderUtil.class.php b/wcfsetup/install/files/lib/util/HeaderUtil.class.php index 2197eedc5c..fa1ef62365 100644 --- a/wcfsetup/install/files/lib/util/HeaderUtil.class.php +++ b/wcfsetup/install/files/lib/util/HeaderUtil.class.php @@ -42,16 +42,11 @@ final class HeaderUtil { $cookieDomain = self::getCookieDomain(); - $sameSite = ''; - if (!HTTP_SEND_X_FRAME_OPTIONS) { - $sameSite = '; SameSite=none'; - } - @\header( 'Set-Cookie: ' . \rawurlencode(COOKIE_PREFIX . $name) . '=' . \rawurlencode((string)$value) . ($expire ? '; expires=' . \gmdate( 'D, d-M-Y H:i:s', $expire - ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . $sameSite . '; HttpOnly', + ) . ' GMT; max-age=' . ($expire - TIME_NOW) : '') . '; path=/' . ($cookieDomain !== null ? '; domain=' . $cookieDomain : '') . (RouteHandler::secureConnection() ? '; secure' : '') . '; HttpOnly', false ); } @@ -95,10 +90,7 @@ final class HeaderUtil self::sendNoCacheHeaders(); } - // send X-Frame-Options - if (HTTP_SEND_X_FRAME_OPTIONS) { - @\header('X-Frame-Options: SAMEORIGIN'); - } + @\header('X-Frame-Options: SAMEORIGIN'); \ob_start([self::class, 'parseOutput']); } diff --git a/wcfsetup/install/files/options.inc.php b/wcfsetup/install/files/options.inc.php index 21870e4dad..e4677425c6 100644 --- a/wcfsetup/install/files/options.inc.php +++ b/wcfsetup/install/files/options.inc.php @@ -22,8 +22,6 @@ if (\file_exists(WCF_DIR . 'cookiePrefix.txt')) { \define('COOKIE_PATH', ''); \define('COOKIE_DOMAIN', ''); -\define('HTTP_SEND_X_FRAME_OPTIONS', 1); - \define('CACHE_SOURCE_TYPE', 'disk'); \define('IMAGE_ADAPTER_TYPE', 'gd'); \define('TIMEZONE', 'Europe/Berlin'); diff --git a/wcfsetup/install/lang/de.xml b/wcfsetup/install/lang/de.xml index 600318f9f0..b44f05309e 100644 --- a/wcfsetup/install/lang/de.xml +++ b/wcfsetup/install/lang/de.xml @@ -1333,8 +1333,6 @@ ACHTUNG: Die oben genannten Meldungen sind stark gekürzt. Sie können Details z minvalue !== null} Der minimale Wert ist {#$option->minvalue}.{/if}]]> - - Clickjacking-Angriffe ermöglicht werden. Darüber hinaus können bestimmte Sicherheitsmerkmale von Cookies in Frames nicht verwendet werden.]]> @@ -5564,4 +5562,8 @@ Benachrichtigungen auf {PAGE_TITLE|phra + + + + diff --git a/wcfsetup/install/lang/en.xml b/wcfsetup/install/lang/en.xml index 8ccc9da5e7..c0890aabc8 100644 --- a/wcfsetup/install/lang/en.xml +++ b/wcfsetup/install/lang/en.xml @@ -1312,8 +1312,6 @@ ATTENTION: The messages listed above are greatly shortened. You can view details minvalue !== null} of {#$option->minvalue}{/if}.]]> - - Clickjacking attacks to happen. In addition certain security features for cookies are not available within frames.]]> @@ -5566,4 +5564,8 @@ your notifications on {PAGE_TITLE|phras + + + +