MAGETWO-46581: X-XSS-Protection is set on IE 8

4076ed2b · Dale Sikkema · f1f9057c · 4076ed2b · 4076ed2b · 4076ed2b
Commit 4076ed2b authored 9 years ago by Dale Sikkema
--- a/.htaccess
+++ b/.htaccess
@@ -285,10 +285,3 @@
 ## http://developer.yahoo.com/performance/rules.html#etags

    #FileETag none
-
-############################################
-## Add custom headers
-<IfModule mod_headers.c>
-    Header set X-Content-Type-Options "nosniff"
-    Header set X-XSS-Protection "1; mode=block"
-</IfModule>
--- a/app/etc/di.xml
+++ b/app/etc/di.xml
@@ -1076,6 +1076,8 @@
        <arguments>
            <argument name="headerProviderList" xsi:type="array">
                <item name="x-frame-options" xsi:type="object">Magento\Framework\App\Response\Header\XFrameOptions</item>
+                <item name="x-content-type-options" xsi:type="object">Magento\Framework\App\Response\Header\XContentTypeOptions</item>
+                <item name="x-xss-protection" xsi:type="object">Magento\Framework\App\Response\Header\XssProtection</item>
            </argument>
        </arguments>
    </type>

--- a/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
+++ b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\Response\Header\AbstractHeader;
+
+class XContentTypeOptions extends AbstractHeader
+{
+    protected $value = 'nosniff';
+    protected $name = 'X-Content-Type-Options';
+}
--- a/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
+++ b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\Response\HeaderProviderInterface;
+use Magento\Framework\HTTP\Header;
+
+class XssProtection implements HeaderProviderInterface
+{
+    /**
+     * Header name
+     */
+    const NAME = 'X-XSS-Protection';
+
+    /**
+     * Matches IE 8 browsers
+     */
+    const IE_8_USER_AGENT = 'MSIE 8';
+
+    /**
+     * @var Header
+     */
+    private $headerService;
+
+    /**
+     * @param Header $headerService
+     */
+    public function __construct(Header $headerService)
+    {
+        $this->headerService = $headerService;
+    }
+
+    /**
+     * Whether the header should be attached to the response
+     *
+     * @return bool
+     */
+    public function canApply()
+    {
+        return true;
+    }
+
+    /**
+     * Header name
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return self::NAME;
+    }
+
+    /**
+     * Header value. Must be disabled for IE 8.
+     *
+     * @return string
+     */
+    public function getValue()
+    {
+        return strpos($this->headerService->getHttpUserAgent(), self::IE_8_USER_AGENT) === false
+            ? '1; mode=block'
+            : '0';
+    }
+}