From 01c0358ed08a9d707221b0f5795e2d58b712642c Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tim=20D=C3=BCsterhus?= <duesterhus@woltlab.com>
Date: Thu, 19 May 2022 16:11:14 +0200
Subject: [PATCH] Add `EnforceFrameOptions` middleware

---
 .../middleware/EnforceFrameOptions.class.php  | 35 +++++++++++++++++++
 .../system/request/RequestHandler.class.php   |  4 +--
 2 files changed, 37 insertions(+), 2 deletions(-)
 create mode 100644 wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php

diff --git a/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
new file mode 100644
index 0000000000..b45ba2bec4
--- /dev/null
+++ b/wcfsetup/install/files/lib/http/middleware/EnforceFrameOptions.class.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace wcf\http\middleware;
+
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use wcf\http\LegacyPlaceholderResponse;
+
+/**
+ * Adds 'x-frame-options: SAMEORIGIN' to the response.
+ *
+ * @author  Tim Duesterhus
+ * @copyright   2001-2022 WoltLab GmbH
+ * @license GNU Lesser General Public License <http://opensource.org/licenses/lgpl-license.php>
+ * @package WoltLabSuite\Core\Http\Middleware
+ * @since   5.6
+ */
+final class EnforceFrameOptions implements MiddlewareInterface
+{
+    /**
+     * @inheritDoc
+     */
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $response = $handler->handle($request);
+
+        if ($response instanceof LegacyPlaceholderResponse) {
+            return $response;
+        }
+
+        return $response->withHeader('x-frame-options', 'SAMEORIGIN');
+    }
+}
diff --git a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
index a479f39750..1d36882fd4 100644
--- a/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
+++ b/wcfsetup/install/files/lib/system/request/RequestHandler.class.php
@@ -7,6 +7,7 @@ use Laminas\HttpHandlerRunner\Emitter\SapiEmitter;
 use Psr\Http\Message\ResponseInterface;
 use wcf\http\LegacyPlaceholderResponse;
 use wcf\http\middleware\EnforceCacheControlPrivate;
+use wcf\http\middleware\EnforceFrameOptions;
 use wcf\http\Pipeline;
 use wcf\system\application\ApplicationHandler;
 use wcf\system\box\BoxHandler;
@@ -106,6 +107,7 @@ class RequestHandler extends SingletonFactory
 
             $pipeline = new Pipeline([
                 new EnforceCacheControlPrivate(),
+                new EnforceFrameOptions(),
             ]);
 
             $this->sendPsr7Response(
@@ -127,8 +129,6 @@ class RequestHandler extends SingletonFactory
             return;
         }
 
-        $response->withHeader('x-frame-options', 'SAMEORIGIN');
-
         $emitter = new SapiEmitter();
         $emitter->emit($response);
     }
-- 
2.20.1