From 4076ed2bcac21ebd03e4ab8a6a32028a6fa76043 Mon Sep 17 00:00:00 2001 From: Dale Sikkema <dsikkema@ebay.com> Date: Thu, 10 Dec 2015 14:43:50 -0600 Subject: [PATCH] MAGETWO-46581: X-XSS-Protection is set on IE 8 --- .htaccess | 7 -- app/etc/di.xml | 2 + .../Response/Header/XContentTypeOptions.php | 14 ++++ .../App/Response/Header/XssProtection.php | 68 +++++++++++++++++++ 4 files changed, 84 insertions(+), 7 deletions(-) create mode 100644 lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php create mode 100644 lib/internal/Magento/Framework/App/Response/Header/XssProtection.php diff --git a/.htaccess b/.htaccess index 50c06d4e3ae..60d71d7a170 100644 --- a/.htaccess +++ b/.htaccess @@ -285,10 +285,3 @@ ## http://developer.yahoo.com/performance/rules.html#etags #FileETag none - -############################################ -## Add custom headers -<IfModule mod_headers.c> - Header set X-Content-Type-Options "nosniff" - Header set X-XSS-Protection "1; mode=block" -</IfModule> diff --git a/app/etc/di.xml b/app/etc/di.xml index d3d67b9bb35..c0726df7148 100755 --- a/app/etc/di.xml +++ b/app/etc/di.xml @@ -1076,6 +1076,8 @@ <arguments> <argument name="headerProviderList" xsi:type="array"> <item name="x-frame-options" xsi:type="object">Magento\Framework\App\Response\Header\XFrameOptions</item> + <item name="x-content-type-options" xsi:type="object">Magento\Framework\App\Response\Header\XContentTypeOptions</item> + <item name="x-xss-protection" xsi:type="object">Magento\Framework\App\Response\Header\XssProtection</item> </argument> </arguments> </type> diff --git a/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php new file mode 100644 index 00000000000..6776b81af66 --- /dev/null +++ b/lib/internal/Magento/Framework/App/Response/Header/XContentTypeOptions.php @@ -0,0 +1,14 @@ +<?php +/** + * Copyright © 2015 Magento. All rights reserved. + * See COPYING.txt for license details. + */ +namespace Magento\Framework\App\Response\Header; + +use Magento\Framework\App\Response\Header\AbstractHeader; + +class XContentTypeOptions extends AbstractHeader +{ + protected $value = 'nosniff'; + protected $name = 'X-Content-Type-Options'; +} diff --git a/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php new file mode 100644 index 00000000000..06817457aac --- /dev/null +++ b/lib/internal/Magento/Framework/App/Response/Header/XssProtection.php @@ -0,0 +1,68 @@ +<?php +/** + * Copyright © 2015 Magento. All rights reserved. + * See COPYING.txt for license details. + */ +namespace Magento\Framework\App\Response\Header; + +use Magento\Framework\App\RequestInterface; +use Magento\Framework\App\Response\HeaderProviderInterface; +use Magento\Framework\HTTP\Header; + +class XssProtection implements HeaderProviderInterface +{ + /** + * Header name + */ + const NAME = 'X-XSS-Protection'; + + /** + * Matches IE 8 browsers + */ + const IE_8_USER_AGENT = 'MSIE 8'; + + /** + * @var Header + */ + private $headerService; + + /** + * @param Header $headerService + */ + public function __construct(Header $headerService) + { + $this->headerService = $headerService; + } + + /** + * Whether the header should be attached to the response + * + * @return bool + */ + public function canApply() + { + return true; + } + + /** + * Header name + * + * @return string + */ + public function getName() + { + return self::NAME; + } + + /** + * Header value. Must be disabled for IE 8. + * + * @return string + */ + public function getValue() + { + return strpos($this->headerService->getHttpUserAgent(), self::IE_8_USER_AGENT) === false + ? '1; mode=block' + : '0'; + } +} -- GitLab