Merge remote-tracking branch 'ogresCE/MAGETWO-43510-x-frame' into PR_Branch

mazhalai · mazhalai · commit b20558dc8dbd · 2015-11-02T14:27:36.000-06:00
diff --git a/nginx.conf.sample b/nginx.conf.sample
@@ -39,6 +39,10 @@ location /setup {
     location ~ ^/setup/(?!pub/). {
         deny all;
     }
+
+    location ~ ^/setup/pub/ {
+        add_header X-Frame-Options "SAMEORIGIN";
+    }
 }
 
 location /update {
@@ -55,6 +59,10 @@ location /update {
     location ~ ^/update/(?!pub/). {
         deny all;
     }
+
+    location ~ ^/update/pub/ {
+        add_header X-Frame-Options "SAMEORIGIN";
+    }
 }
 
 location / {
@@ -66,6 +74,7 @@ location /pub {
         deny all;
     }
     alias $MAGE_ROOT/pub;
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /static/ {
@@ -74,6 +83,7 @@ location /static/ {
     }
     location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
         add_header Cache-Control "public";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires +1y;
 
         if (!-f $request_filename) {
@@ -82,6 +92,7 @@ location /static/ {
     }
     location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
         add_header Cache-Control "no-store";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires    off;
 
         if (!-f $request_filename) {
@@ -91,6 +102,7 @@ location /static/ {
     if (!-f $request_filename) {
         rewrite ^/static/(version\d*/)?(.*)$ /static.php?resource=$2 last;
     }
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /media/ {
@@ -102,14 +114,17 @@ location /media/ {
 
     location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
         add_header Cache-Control "public";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires +1y;
         try_files $uri $uri/ /get.php?$args;
     }
     location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
         add_header Cache-Control "no-store";
+        add_header X-Frame-Options "SAMEORIGIN";
         expires    off;
         try_files $uri $uri/ /get.php?$args;
     }
+    add_header X-Frame-Options "SAMEORIGIN";
 }
 
 location /media/customer/ {
diff --git a/pub/.htaccess b/pub/.htaccess
@@ -208,3 +208,9 @@
         order allow,deny
         deny from all
     </Files>
+
+<IfModule mod_headers.c>
+    ############################################
+    ## prevent clickjacking
+    Header set X-Frame-Options SAMEORIGIN
+</IfModule>
diff --git a/setup/pub/.htaccess b/setup/pub/.htaccess
@@ -0,0 +1,5 @@
+<IfModule mod_headers.c>
+    ############################################
+    ## prevent clickjacking
+    Header set X-Frame-Options SAMEORIGIN
+</IfModule>
diff --git a/setup/src/Magento/Setup/Module.php b/setup/src/Magento/Setup/Module.php
@@ -49,6 +49,7 @@ public function onBootstrap(EventInterface $e)
                 $headers->addHeaderLine('Cache-Control', 'no-cache, no-store, must-revalidate');
                 $headers->addHeaderLine('Pragma', 'no-cache');
                 $headers->addHeaderLine('Expires', '1970-01-01');
+                $headers->addHeaderLine('X-Frame-Options: SAMEORIGIN');
             }
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,10 @@ location /setup {`
`39`	`39`	`location ~ ^/setup/(?!pub/). {`
`40`	`40`	`deny all;`
`41`	`41`	`}`
	`42`	`+`
	`43`	`+ location ~ ^/setup/pub/ {`
	`44`	`+ add_header X-Frame-Options "SAMEORIGIN";`
	`45`	`+ }`
`42`	`46`	`}`
`43`	`47`
`44`	`48`	`location /update {`
`@@ -55,6 +59,10 @@ location /update {`
`55`	`59`	`location ~ ^/update/(?!pub/). {`
`56`	`60`	`deny all;`
`57`	`61`	`}`
	`62`	`+`
	`63`	`+ location ~ ^/update/pub/ {`
	`64`	`+ add_header X-Frame-Options "SAMEORIGIN";`
	`65`	`+ }`
`58`	`66`	`}`
`59`	`67`
`60`	`68`	`location / {`
`@@ -66,6 +74,7 @@ location /pub {`
`66`	`74`	`deny all;`
`67`	`75`	`}`
`68`	`76`	`alias $MAGE_ROOT/pub;`
	`77`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`69`	`78`	`}`
`70`	`79`
`71`	`80`	`location /static/ {`
`@@ -74,6 +83,7 @@ location /static/ {`
`74`	`83`	`}`
`75`	`84`	`location ~* \.(ico\|jpg\|jpeg\|png\|gif\|svg\|js\|css\|swf\|eot\|ttf\|otf\|woff\|woff2)$ {`
`76`	`85`	`add_header Cache-Control "public";`
	`86`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`77`	`87`	`expires +1y;`
`78`	`88`
`79`	`89`	`if (!-f $request_filename) {`
`@@ -82,6 +92,7 @@ location /static/ {`
`82`	`92`	`}`
`83`	`93`	`location ~* \.(zip\|gz\|gzip\|bz2\|csv\|xml)$ {`
`84`	`94`	`add_header Cache-Control "no-store";`
	`95`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`85`	`96`	`expires off;`
`86`	`97`
`87`	`98`	`if (!-f $request_filename) {`
`@@ -91,6 +102,7 @@ location /static/ {`
`91`	`102`	`if (!-f $request_filename) {`
`92`	`103`	`rewrite ^/static/(version\d/)?(.)$ /static.php?resource=$2 last;`
`93`	`104`	`}`
	`105`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`94`	`106`	`}`
`95`	`107`
`96`	`108`	`location /media/ {`
`@@ -102,14 +114,17 @@ location /media/ {`
`102`	`114`
`103`	`115`	`location ~* \.(ico\|jpg\|jpeg\|png\|gif\|svg\|js\|css\|swf\|eot\|ttf\|otf\|woff\|woff2)$ {`
`104`	`116`	`add_header Cache-Control "public";`
	`117`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`105`	`118`	`expires +1y;`
`106`	`119`	`try_files $uri $uri/ /get.php?$args;`
`107`	`120`	`}`
`108`	`121`	`location ~* \.(zip\|gz\|gzip\|bz2\|csv\|xml)$ {`
`109`	`122`	`add_header Cache-Control "no-store";`
	`123`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`110`	`124`	`expires off;`
`111`	`125`	`try_files $uri $uri/ /get.php?$args;`
`112`	`126`	`}`
	`127`	`+ add_header X-Frame-Options "SAMEORIGIN";`
`113`	`128`	`}`
`114`	`129`
`115`	`130`	`location /media/customer/ {`
Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,7 @@ public function onBootstrap(EventInterface $e)`
`49`	`49`	`$headers->addHeaderLine('Cache-Control', 'no-cache, no-store, must-revalidate');`
`50`	`50`	`$headers->addHeaderLine('Pragma', 'no-cache');`
`51`	`51`	`$headers->addHeaderLine('Expires', '1970-01-01');`
	`52`	`+ $headers->addHeaderLine('X-Frame-Options: SAMEORIGIN');`
`52`	`53`	`}`
`53`	`54`	`}`
`54`	`55`	`}`