Skip to content

Commit c741c4d

Browse files
MoonEMoonE
committed
Remove X-Frame-Options header in favor of CSP frame-ancestors
Signed-off-by: Maximilian Krög <maxi_kroeg@web.de>
1 parent 8f15b3f commit c741c4d

2 files changed

Lines changed: 10 additions & 16 deletions

File tree

src/Header.php

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -376,13 +376,6 @@ public function getHttpHeaders(ClockInterface|null $clock = null): array
376376
'Permissions-Policy' => 'fullscreen=(self), interest-cohort=()',
377377
];
378378

379-
/* Prevent against ClickJacking by disabling framing */
380-
if ($this->config->config->AllowThirdPartyFraming === 'sameorigin') {
381-
$headers['X-Frame-Options'] = 'SAMEORIGIN';
382-
} elseif ($this->config->config->AllowThirdPartyFraming !== true) {
383-
$headers['X-Frame-Options'] = 'DENY';
384-
}
385-
386379
$headers = array_merge($headers, Core::getNoCacheHeaders($clock ?? new Clock()));
387380

388381
/**
@@ -445,6 +438,13 @@ private function getCspHeader(): string
445438
"style-src 'self' 'unsafe-inline'" . $captchaUrl . $cspAllow,
446439
];
447440

441+
// Prevent click-jacking by disabling inline-framing
442+
if ($this->config->config->AllowThirdPartyFraming === 'sameorigin') {
443+
$csp[] = "frame-ancestors 'self'";
444+
} elseif ($this->config->config->AllowThirdPartyFraming !== true) {
445+
$csp[] = "frame-ancestors 'none'";
446+
}
447+
448448
return implode('; ', $csp) . ';';
449449
}
450450

tests/unit/HeaderTest.php

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,6 @@ public function testGetHttpHeaders(
186186
string $privateKey,
187187
string $publicKey,
188188
string $captchaCsp,
189-
string|null $expectedFrameOptions,
190189
string $expectedCsp,
191190
): void {
192191
$header = $this->getNewHeaderInstance();
@@ -206,21 +205,17 @@ public function testGetHttpHeaders(
206205
'X-Permitted-Cross-Domain-Policies' => 'none',
207206
'X-Robots-Tag' => 'noindex, nofollow',
208207
'Permissions-Policy' => 'fullscreen=(self), interest-cohort=()',
209-
'X-Frame-Options' => $expectedFrameOptions ?? '',
210208
'Expires' => 'Wed, 21 Oct 2015 07:28:00 GMT',
211209
'Cache-Control' => 'no-store, no-cache, must-revalidate, pre-check=0, post-check=0, max-age=0',
212210
'Pragma' => 'no-cache',
213211
'Last-Modified' => 'Wed, 21 Oct 2015 07:28:00 GMT',
214212
'Content-Type' => 'text/html; charset=utf-8',
215213
];
216-
if ($expectedFrameOptions === null) {
217-
unset($expected['X-Frame-Options']);
218-
}
219214

220215
self::assertSame($expected, $header->getHttpHeaders(MockClock::from('2015-10-21T05:28:00-02:00')));
221216
}
222217

223-
/** @psalm-return list<array{string|bool, string, string, string, string, string|null, string}> */
218+
/** @psalm-return list<array{string|bool, string, string, string, string|null, string}> */
224219
public static function providerForTestGetHttpHeaders(): array
225220
{
226221
return [
@@ -230,33 +225,32 @@ public static function providerForTestGetHttpHeaders(): array
230225
'',
231226
'',
232227
'',
233-
'DENY',
234228
"default-src 'self';"
235229
. " img-src 'self' data: tile.openstreetmap.org;"
236230
. " object-src 'none';"
237231
. " script-src 'self' 'unsafe-inline' 'unsafe-eval';"
238232
. " style-src 'self' 'unsafe-inline';"
233+
. " frame-ancestors 'none';",
239234
],
240235
[
241236
'sameorigin',
242237
'example.com example.net',
243238
'PrivateKey',
244239
'PublicKey',
245240
'captcha.tld csp.tld',
246-
'SAMEORIGIN',
247241
"default-src 'self' captcha.tld csp.tld example.com example.net;"
248242
. " img-src 'self' data: captcha.tld csp.tld example.com example.net tile.openstreetmap.org;"
249243
. " object-src 'none';"
250244
. " script-src 'self' 'unsafe-inline' 'unsafe-eval' captcha.tld csp.tld example.com example.net;"
251245
. " style-src 'self' 'unsafe-inline' captcha.tld csp.tld example.com example.net;"
246+
. " frame-ancestors 'self';",
252247
],
253248
[
254249
true,
255250
'',
256251
'PrivateKey',
257252
'PublicKey',
258253
'captcha.tld csp.tld',
259-
null,
260254
"default-src 'self' captcha.tld csp.tld;"
261255
. " img-src 'self' data: captcha.tld csp.tld tile.openstreetmap.org;"
262256
. " object-src 'none';"

0 commit comments

Comments
 (0)