MAGETWO-86718: x-frame-options missing from a few templates

Author: OlgaVasyltsun

app/code/Magento/MediaStorage/Model/File/Storage/Response.php

@@ -56,7 +56,11 @@ public function __construct(
     public function sendResponse()
     {
         if ($this->_filePath && $this->getHttpResponseCode() == 200) {
-            $this->_transferAdapter->send($this->_filePath);
+            $options = [
+                'filepath' => $this->_filePath,
+                'headers' => $this->getHeaders(),
+            ];
+            $this->_transferAdapter->send($options);
         } else {
             parent::sendResponse();
         }

app/code/Magento/MediaStorage/Test/Unit/Model/File/Storage/ResponseTest.php

@@ -0,0 +1,74 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\MediaStorage\Test\Unit\Model\File\Storage;
+
+use Magento\Framework\TestFramework\Unit\Helper\ObjectManager;
+
+/** Unit tests for \Magento\MediaStorage\Model\File\Storage\Response class */
+class ResponseTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * @var \Magento\MediaStorage\Model\File\Storage\Response
+     */
+    private $response;
+
+    /**
+     * @var \Magento\Framework\File\Transfer\Adapter\Http|\PHPUnit_Framework_MockObject_MockObject
+     */
+    private $transferAdapter;
+
+    /**
+     * @inheritdoc
+     */
+    protected function setUp()
+    {
+        $objectManager = new ObjectManager($this);
+        $this->transferAdapter = $this->getMockBuilder(\Magento\Framework\File\Transfer\Adapter\Http::class)
+            ->disableOriginalConstructor()
+            ->setMethods(['send'])
+            ->getMock();
+        $this->response = $objectManager->getObject(
+            \Magento\MediaStorage\Model\File\Storage\Response::class,
+            [
+                'transferAdapter' => $this->transferAdapter,
+                'statusCode' => 200,
+            ]
+        );
+    }
+
+    /**
+     * @return void
+     */
+    public function testSendResponse(): void
+    {
+        $filePath = 'file_path';
+        $headers = $this->getMockBuilder(\Zend\Http\Headers::class)->getMock();
+        $this->response->setFilePath($filePath);
+        $this->response->setHeaders($headers);
+        $this->transferAdapter
+            ->expects($this->atLeastOnce())
+            ->method('send')
+            ->with(
+                [
+                    'filepath' => $filePath,
+                    'headers' => $headers,
+                ]
+            );
+
+        $this->response->sendResponse();
+    }
+
+    /**
+     * @return void
+     */
+    public function testSendResponseWithoutFilePath(): void
+    {
+        $this->transferAdapter->expects($this->never())->method('send');
+        $this->response->sendResponse();
+    }
+}

dev/tests/integration/testsuite/Magento/MediaStorage/Model/File/Storage/ResponseTest.php

@@ -0,0 +1,60 @@
+<?php
+/**
+ * Copyright © Magento, Inc. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+declare(strict_types=1);
+
+namespace Magento\MediaStorage\Model\File\Storage;
+
+/**
+ * Tests for \Magento\MediaStorage\Model\File\Storage\Response class
+ */
+class ResponseTest extends \PHPUnit\Framework\TestCase
+{
+    /**
+     * test for \Magento\MediaStorage\Model\File\Storage\Response::sendResponse()
+     *
+     * @return void
+     */
+    public function testSendResponse(): void
+    {
+        $expectedHeaders = [
+            [
+                'field_name' => 'X-Content-Type-Options',
+                'field_value' => 'nosniff',
+            ],
+            [
+                'field_name' => 'X-XSS-Protection',
+                'field_value' => '1; mode=block',
+            ],
+            [
+                'field_name' => 'X-Frame-Options',
+                'field_value' => 'SAMEORIGIN',
+            ],
+        ];
+        $filePath = realpath(__DIR__ . '/../../../_files/test_file.html');
+        /** @var \Magento\MediaStorage\Model\File\Storage\Response $response */
+        $mediaStorageResponse = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->create(
+            \Magento\MediaStorage\Model\File\Storage\Response::class
+        );
+        $mediaStorageResponse->setFilePath($filePath);
+        ob_start();
+        $mediaStorageResponse->sendResponse();
+        ob_end_clean();
+        /** @var \Magento\Framework\App\Response\Http $frameworkResponse */
+        $frameworkResponse = \Magento\TestFramework\Helper\Bootstrap::getObjectManager()->get(
+            \Magento\Framework\HTTP\PhpEnvironment\Response::class
+        );
+        $actualHeaders = [];
+        foreach ($frameworkResponse->getHeaders() as $responseHeader) {
+            $actualHeaders[] = [
+                'field_name' => $responseHeader->getFieldName(),
+                'field_value' => $responseHeader->getFieldValue(),
+            ];
+        }
+        foreach ($expectedHeaders as $expected) {
+            $this->assertTrue(in_array($expected, $actualHeaders));
+        }
+    }
+}

dev/tests/integration/testsuite/Magento/MediaStorage/_files/test_file.html

@@ -0,0 +1 @@
+test data

lib/internal/Magento/Framework/File/Test/Unit/Transfer/Adapter/HttpTest.php

@@ -24,17 +24,23 @@ class HttpTest extends \PHPUnit\Framework\TestCase
      */
     private $mime;
 
+    /**
+     * @inheritdoc
+     */
     protected function setUp()
     {
         $this->response = $this->createPartialMock(
             \Magento\Framework\HTTP\PhpEnvironment\Response::class,
-            ['setHeader', 'sendHeaders']
+            ['setHeader', 'sendHeaders', 'setHeaders']
         );
         $this->mime = $this->createMock(\Magento\Framework\File\Mime::class);
         $this->object = new Http($this->response, $this->mime);
     }
 
-    public function testSend()
+    /**
+     * @return void
+     */
+    public function testSend(): void
     {
         $file = __DIR__ . '/../../_files/javascript.js';
         $contentType = 'content/type';
@@ -56,20 +62,47 @@ public function testSend()
         $this->object->send($file);
     }
 
+    /**
+     * @return void
+     */
+    public function testSendWithOptions(): void
+    {
+        $file = __DIR__ . '/../../_files/javascript.js';
+        $contentType = 'content/type';
+
+        $headers = $this->getMockBuilder(\Zend\Http\Headers::class)->getMock();
+        $this->response->expects($this->atLeastOnce())
+            ->method('setHeader')
+            ->withConsecutive(['Content-length', filesize($file)], ['Content-Type', $contentType]);
+        $this->response->expects($this->atLeastOnce())
+            ->method('setHeaders')
+            ->with($headers);
+        $this->response->expects($this->once())
+            ->method('sendHeaders');
+        $this->mime->expects($this->once())
+            ->method('getMimeType')
+            ->with($file)
+            ->will($this->returnValue($contentType));
+        $this->expectOutputString(file_get_contents($file));
+
+        $this->object->send(['filepath' => $file, 'headers' => $headers]);
+    }
     /**
      * @expectedException \InvalidArgumentException
      * @expectedExceptionMessage Filename is not set
+     * @return void
      */
-    public function testSendNoFileSpecifiedException()
+    public function testSendNoFileSpecifiedException(): void
     {
         $this->object->send([]);
     }
 
     /**
      * @expectedException \InvalidArgumentException
      * @expectedExceptionMessage File 'nonexistent.file' does not exists
+     * @return void
      */
-    public function testSendNoFileExistException()
+    public function testSendNoFileExistException(): void
     {
         $this->object->send('nonexistent.file');
     }

lib/internal/Magento/Framework/File/Transfer/Adapter/Http.php

@@ -40,20 +40,16 @@ public function __construct(
      */
     public function send($options = null)
     {
-        if (is_string($options)) {
-            $filepath = $options;
-        } elseif (is_array($options) && isset($options['filepath'])) {
-            $filepath = $options['filepath'];
-        } else {
-            throw new \InvalidArgumentException("Filename is not set.");
-        }
+        $filepath = $this->getFilePath($options);
 
         if (!is_file($filepath) || !is_readable($filepath)) {
             throw new \InvalidArgumentException("File '{$filepath}' does not exists.");
         }
 
         $mimeType = $this->mime->getMimeType($filepath);
-
+        if (is_array($options) && isset($options['headers']) && $options['headers'] instanceof \Zend\Http\Headers) {
+            $this->response->setHeaders($options['headers']);
+        }
         $this->response->setHeader('Content-length', filesize($filepath));
         $this->response->setHeader('Content-Type', $mimeType);
 
@@ -70,4 +66,26 @@ public function send($options = null)
             fclose($handle);
         }
     }
+
+    /**
+     * Get filepath by provided parameter $optons.
+     * If the $options is a string it assumes it's a file path. If the option is an array method will look for the
+     * 'filepath' key and return it's value.
+     *
+     * @param string|array|null $options
+     * @return string
+     * @throws \InvalidArgumentException
+     */
+    private function getFilePath($options): string
+    {
+        if (is_string($options)) {
+            $filePath = $options;
+        } elseif (is_array($options) && isset($options['filepath'])) {
+            $filePath = $options['filepath'];
+        } else {
+            throw new \InvalidArgumentException("Filename is not set.");
+        }
+
+        return $filePath;
+    }
 }