From 4076ed2bcac21ebd03e4ab8a6a32028a6fa76043 Mon Sep 17 00:00:00 2001
From: Dale Sikkema <dsikkema@ebay.com>
Date: Thu, 10 Dec 2015 14:43:50 -0600
Subject: [PATCH] MAGETWO-46581: X-XSS-Protection is set on IE 8

---
 .htaccess                                     |  7 --
 app/etc/di.xml                                |  2 +
 .../Response/Header/XContentTypeOptions.php   | 14 ++++
 .../App/Response/Header/XssProtection.php     | 68 +++++++++++++++++++
 4 files changed, 84 insertions(+), 7 deletions(-)
 create mode 100644 lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
 create mode 100644 lib/internal/Magento/Framework/App/Response/Header/XssProtection.php

diff --git a/.htaccess b/.htaccess
index 50c06d4e3ae..60d71d7a170 100644
--- a/.htaccess
+++ b/.htaccess
@@ -285,10 +285,3 @@
 ## http://developer.yahoo.com/performance/rules.html#etags
 
     #FileETag none
-
-############################################
-## Add custom headers
-<IfModule mod_headers.c>
-    Header set X-Content-Type-Options "nosniff"
-    Header set X-XSS-Protection "1; mode=block"
-</IfModule>
diff --git a/app/etc/di.xml b/app/etc/di.xml
index d3d67b9bb35..c0726df7148 100755
--- a/app/etc/di.xml
+++ b/app/etc/di.xml
@@ -1076,6 +1076,8 @@
         <arguments>
             <argument name="headerProviderList" xsi:type="array">
                 <item name="x-frame-options" xsi:type="object">Magento\Framework\App\Response\Header\XFrameOptions</item>
+                <item name="x-content-type-options" xsi:type="object">Magento\Framework\App\Response\Header\XContentTypeOptions</item>
+                <item name="x-xss-protection" xsi:type="object">Magento\Framework\App\Response\Header\XssProtection</item>
             </argument>
         </arguments>
     </type>
diff --git a/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
new file mode 100644
index 00000000000..6776b81af66
--- /dev/null
+++ b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php
@@ -0,0 +1,14 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\Response\Header\AbstractHeader;
+
+class XContentTypeOptions extends AbstractHeader
+{
+    protected $value = 'nosniff';
+    protected $name = 'X-Content-Type-Options';
+}
diff --git a/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
new file mode 100644
index 00000000000..06817457aac
--- /dev/null
+++ b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php
@@ -0,0 +1,68 @@
+<?php
+/**
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+namespace Magento\Framework\App\Response\Header;
+
+use Magento\Framework\App\RequestInterface;
+use Magento\Framework\App\Response\HeaderProviderInterface;
+use Magento\Framework\HTTP\Header;
+
+class XssProtection implements HeaderProviderInterface
+{
+    /**
+     * Header name
+     */
+    const NAME = 'X-XSS-Protection';
+
+    /**
+     * Matches IE 8 browsers
+     */
+    const IE_8_USER_AGENT = 'MSIE 8';
+
+    /**
+     * @var Header
+     */
+    private $headerService;
+
+    /**
+     * @param Header $headerService
+     */
+    public function __construct(Header $headerService)
+    {
+        $this->headerService = $headerService;
+    }
+
+    /**
+     * Whether the header should be attached to the response
+     *
+     * @return bool
+     */
+    public function canApply()
+    {
+        return true;
+    }
+
+    /**
+     * Header name
+     *
+     * @return string
+     */
+    public function getName()
+    {
+        return self::NAME;
+    }
+
+    /**
+     * Header value. Must be disabled for IE 8.
+     *
+     * @return string
+     */
+    public function getValue()
+    {
+        return strpos($this->headerService->getHttpUserAgent(), self::IE_8_USER_AGENT) === false
+            ? '1; mode=block'
+            : '0';
+    }
+}
-- 
GitLab