MAGETWO-16192: Security: Clickjacking solution - introduce X-Frame-Options

 - change default and backend permission to SAMEORIGIN

Author: Dale Sikkema

app/code/Magento/Store/etc/di.xml

@@ -296,8 +296,4 @@
             </argument>
         </arguments>
     </type>
-    <type name="Magento\Framework\App\Response\Http">
-        <plugin name="xFrameOptionsHeader" type="Magento\Framework\App\Response\XFrameOptPlugin"/>
-    </type>
-
 </config>

app/etc/di.xml

@@ -136,6 +136,9 @@
     <preference for="Magento\Framework\Api\ImageContentValidatorInterface" type="Magento\Framework\Api\ImageContentValidator" />
     <preference for="Magento\Framework\Api\ImageProcessorInterface" type="Magento\Framework\Api\ImageProcessor" />
     <preference for="Magento\Framework\Code\Reader\ClassReaderInterface" type="Magento\Framework\Code\Reader\ClassReader" />
+    <type name="Magento\Framework\App\Response\Http">
+        <plugin name="xFrameOptionsHeader" type="Magento\Framework\App\Response\XFrameOptPlugin"/>
+    </type>
     <type name="Magento\Framework\App\Response\XFrameOptPlugin">
         <arguments>
                 <argument name="xFrameOpt" xsi:type="init_parameter">Magento\Framework\App\Response\XFrameOptPlugin::DEPLOYMENT_CONFIG_X_FRAME_OPT</argument>

lib/internal/Magento/Framework/App/Response/XFrameOptPlugin.php

@@ -14,8 +14,8 @@ class XFrameOptPlugin
     /** Deployment config key for frontend x-frame-options header value */
     const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';
 
-    /** Always send DENY in backend x-frame-options header */
-    const BACKEND_X_FRAME_OPT = 'DENY';
+    /** Always send SAMEORIGIN in backend x-frame-options header */
+    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';
 
     /**
      *The header value

lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php

@@ -274,7 +274,7 @@ public function testWakeUpWith()
 
     public function testSetXFrameOptions()
     {
-        $value = 'SAMEORIGIN';
+        $value = 'DENY';
         $this->model->setXFrameOptions($value);
         $this->assertSame($value, $this->model->getHeader(Http::HEADER_X_FRAME_OPT)->getFieldValue());
     }

setup/src/Magento/Setup/Model/ConfigGenerator.php

@@ -220,7 +220,7 @@ public function createXFrameConfig()
     {
         $configData = new ConfigData(ConfigFilePool::APP_ENV);
         if ($this->deploymentConfig->get(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT) === null) {
-            $configData->set(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT, 'DENY');
+            $configData->set(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT, 'SAMEORIGIN');
         }
         return $configData;
     }

setup/src/Magento/Setup/Test/Unit/Model/ConfigGeneratorTest.php

@@ -36,6 +36,6 @@ public function testCreateXFrameConfig()
             ->with(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT)
             ->willReturn(null);
         $configData = $this->model->createXFrameConfig();
-        $this->assertSame('DENY', $configData->getData()[ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT]);
+        $this->assertSame('SAMEORIGIN', $configData->getData()[ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT]);
     }
 }