Merge remote-tracking branch 'origin/MAGETWO-16192-x-frame-opt' into develop

Joan He · Joan He · commit f15ddf1d9b96 · 2015-06-23T14:34:42.000-05:00
diff --git a/.htaccess b/.htaccess
@@ -65,13 +65,6 @@
     SecFilterScanPOST Off
 </IfModule>
 
-<IfModule mod_headers.c>
-############################################
-## prevent clickjacking
-
-    Header set X-Frame-Options SAMEORIGIN
-</IfModule>
-
 <IfModule mod_deflate.c>
 
 ############################################
@@ -187,4 +180,4 @@
 ## If running in cluster environment, uncomment this
 ## http://developer.yahoo.com/performance/rules.html#etags
 
-    #FileETag none
+    #FileETag none
diff --git a/app/code/Magento/Backend/etc/adminhtml/di.xml b/app/code/Magento/Backend/etc/adminhtml/di.xml
@@ -122,4 +122,9 @@
             </argument>
         </arguments>
     </type>
+    <type name="Magento\Framework\App\Response\XFrameOptPlugin">
+        <arguments>
+            <argument name="xFrameOpt" xsi:type="const">Magento\Framework\App\Response\XFrameOptPlugin::BACKEND_X_FRAME_OPT</argument>
+        </arguments>
+    </type>
 </config>
diff --git a/app/code/Magento/Store/etc/di.xml b/app/code/Magento/Store/etc/di.xml
@@ -9,6 +9,14 @@
     <preference for="Magento\Framework\App\Request\PathInfoProcessorInterface" type="Magento\Store\App\Request\PathInfoProcessor" />
     <preference for="Magento\Store\Model\StoreManagerInterface" type="Magento\Store\Model\StoreManager" />
     <preference for="Magento\Framework\App\Response\RedirectInterface" type="Magento\Store\App\Response\Redirect" />
+    <type name="Magento\Framework\App\Response\Http">
+        <plugin name="xFrameOptionsHeader" type="Magento\Framework\App\Response\XFrameOptPlugin"/>
+    </type>
+    <type name="Magento\Framework\App\Response\XFrameOptPlugin">
+        <arguments>
+            <argument name="xFrameOpt" xsi:type="init_parameter">Magento\Framework\App\Response\XFrameOptPlugin::DEPLOYMENT_CONFIG_X_FRAME_OPT</argument>
+        </arguments>
+    </type>
     <type name="Magento\Framework\App\Config\ScopePool">
         <arguments>
             <argument name="readerPool" xsi:type="object">Magento\Store\Model\Config\Reader\ReaderPool\Proxy</argument>
diff --git a/lib/internal/Magento/Framework/App/Response/Http.php b/lib/internal/Magento/Framework/App/Response/Http.php
@@ -21,6 +21,9 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response
     /** Format for expiration timestamp headers */
     const EXPIRATION_TIMESTAMP_FORMAT = 'D, d M Y H:i:s T';
 
+    /** X-FRAME-OPTIONS Header name */
+    const HEADER_X_FRAME_OPT = 'X-Frame-Options';
+
     /** @var \Magento\Framework\Stdlib\CookieManagerInterface */
     protected $cookieManager;
 
@@ -51,6 +54,17 @@ public function __construct(
         $this->dateTime = $dateTime;
     }
 
+    /**
+     * Sends the X-FRAME-OPTIONS header to protect against click-jacking
+     *
+     * @param string $value
+     * @return void
+     */
+    public function setXFrameOptions($value)
+    {
+        $this->setHeader(self::HEADER_X_FRAME_OPT, $value);
+    }
+
     /**
      * Send Vary cookie
      *
@@ -109,6 +123,7 @@ public function setPrivateHeaders($ttl)
      * Set headers for no-cache responses
      *
      * @return void
+     * @codeCoverageIgnore
      */
     public function setNoCacheHeaders()
     {
@@ -122,6 +137,7 @@ public function setNoCacheHeaders()
      *
      * @param string $content String in JSON format
      * @return \Magento\Framework\App\Response\Http
+     * @codeCoverageIgnore
      */
     public function representJson($content)
     {
@@ -131,6 +147,7 @@ public function representJson($content)
 
     /**
      * @return string[]
+     * @codeCoverageIgnore
      */
     public function __sleep()
     {
@@ -141,6 +158,7 @@ public function __sleep()
      * Need to reconstruct dependencies when being de-serialized.
      *
      * @return void
+     * @codeCoverageIgnore
      */
     public function __wakeup()
     {
@@ -154,6 +172,7 @@ public function __wakeup()
      *
      * @param string $time
      * @return string
+     * @codeCoverageIgnore
      */
     protected function getExpirationHeader($time)
     {
diff --git a/lib/internal/Magento/Framework/App/Response/XFrameOptPlugin.php b/lib/internal/Magento/Framework/App/Response/XFrameOptPlugin.php
@@ -0,0 +1,43 @@
+<?php
+/***
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Framework\App\Response;
+
+/**
+ * Adds an X-FRAME-OPTIONS header to HTTP responses to safeguard against click-jacking.
+ */
+class XFrameOptPlugin
+{
+    /** Deployment config key for frontend x-frame-options header value */
+    const DEPLOYMENT_CONFIG_X_FRAME_OPT = 'x-frame-options';
+
+    /** Always send SAMEORIGIN in backend x-frame-options header */
+    const BACKEND_X_FRAME_OPT = 'SAMEORIGIN';
+
+    /**
+     *The header value
+     * @var string
+     */
+    private $xFrameOpt;
+
+    /**
+     * @param string $xFrameOpt
+     */
+    public function __construct($xFrameOpt)
+    {
+        $this->xFrameOpt = $xFrameOpt;
+    }
+
+    /**
+     * @param \Magento\Framework\App\Response\Http $subject
+     * @return void
+     * @codeCoverageIgnore
+     */
+    public function beforeSendResponse(\Magento\Framework\App\Response\Http $subject)
+    {
+        $subject->setXFrameOptions($this->xFrameOpt);
+    }
+}
diff --git a/lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php b/lib/internal/Magento/Framework/App/Test/Unit/Response/HttpTest.php
@@ -271,4 +271,11 @@ public function testWakeUpWith()
         \Magento\Framework\App\ObjectManager::setInstance($objectManagerMock);
         $this->model->__wakeup();
     }
+
+    public function testSetXFrameOptions()
+    {
+        $value = 'DENY';
+        $this->model->setXFrameOptions($value);
+        $this->assertSame($value, $this->model->getHeader(Http::HEADER_X_FRAME_OPT)->getFieldValue());
+    }
 }
diff --git a/lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php b/lib/internal/Magento/Framework/Config/ConfigOptionsListConstants.php
@@ -22,6 +22,7 @@ class ConfigOptionsListConstants
     const CONFIG_PATH_DB_CONNECTION_DEFAULT = 'db/connection/default';
     const CONFIG_PATH_DB_CONNECTIONS = 'db/connection';
     const CONFIG_PATH_DB_PREFIX = 'db/table_prefix';
+    const CONFIG_PATH_X_FRAME_OPT = 'x-frame-options';
     /**#@-*/
 
     /**#@+
@@ -67,7 +68,7 @@ class ConfigOptionsListConstants
     const KEY_INIT_STATEMENTS = 'initStatements';
     const KEY_ACTIVE = 'active';
     /**#@-*/
-    
+
     /**
      * Db config key
      */
diff --git a/setup/src/Magento/Setup/Model/ConfigGenerator.php b/setup/src/Magento/Setup/Model/ConfigGenerator.php
@@ -210,4 +210,18 @@ public function createResourceConfig()
 
         return $configData;
     }
+
+    /**
+     * Creates x-frame-options header config data
+     *
+     * @return ConfigData
+     */
+    public function createXFrameConfig()
+    {
+        $configData = new ConfigData(ConfigFilePool::APP_ENV);
+        if ($this->deploymentConfig->get(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT) === null) {
+            $configData->set(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT, 'SAMEORIGIN');
+        }
+        return $configData;
+    }
 }
diff --git a/setup/src/Magento/Setup/Model/ConfigOptionsList.php b/setup/src/Magento/Setup/Model/ConfigOptionsList.php
@@ -158,6 +158,7 @@ public function createConfig(array $data, DeploymentConfig $deploymentConfig)
         }
         $configData[] = $this->configGenerator->createDbConfig($data);
         $configData[] = $this->configGenerator->createResourceConfig();
+        $configData[] = $this->configGenerator->createXFrameConfig();
         return $configData;
     }
 
diff --git a/setup/src/Magento/Setup/Test/Unit/Model/ConfigGeneratorTest.php b/setup/src/Magento/Setup/Test/Unit/Model/ConfigGeneratorTest.php
@@ -0,0 +1,41 @@
+<?php
+/***
+ * Copyright © 2015 Magento. All rights reserved.
+ * See COPYING.txt for license details.
+ */
+
+namespace Magento\Setup\Test\Unit\Model;
+
+
+use Magento\Framework\Config\ConfigOptionsListConstants;
+
+class ConfigGeneratorTest extends \PHPUnit_Framework_TestCase
+{
+    /** @var  \Magento\Framework\App\DeploymentConfig | \PHPUnit_Framework_MockObject_MockObject */
+    private $deploymentConfigMock;
+    /** @var  \Magento\Setup\Model\ConfigGenerator | \PHPUnit_Framework_MockObject_MockObject */
+    private $model;
+
+    public function setUp()
+    {
+        $objectManager = new \Magento\Framework\TestFramework\Unit\Helper\ObjectManager($this);
+
+        $this->deploymentConfigMock = $this->getMockBuilder('Magento\Framework\App\DeploymentConfig')
+            ->disableOriginalConstructor()
+            ->getMock();
+        $this->model = $objectManager->getObject(
+            'Magento\Setup\Model\ConfigGenerator',
+            ['deploymentConfig' => $this->deploymentConfigMock]
+        );
+    }
+
+    public function testCreateXFrameConfig()
+    {
+        $this->deploymentConfigMock->expects($this->atLeastOnce())
+            ->method('get')
+            ->with(ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT)
+            ->willReturn(null);
+        $configData = $this->model->createXFrameConfig();
+        $this->assertSame('SAMEORIGIN', $configData->getData()[ConfigOptionsListConstants::CONFIG_PATH_X_FRAME_OPT]);
+    }
+}
diff --git a/setup/src/Magento/Setup/Test/Unit/Module/ConfigOptionsListTest.php b/setup/src/Magento/Setup/Test/Unit/Module/ConfigOptionsListTest.php
@@ -82,8 +82,9 @@ public function testCreateOptions()
         $this->generator->expects($this->once())->method('createDefinitionsConfig')->willReturn($configDataMock);
         $this->generator->expects($this->once())->method('createDbConfig')->willReturn($configDataMock);
         $this->generator->expects($this->once())->method('createResourceConfig')->willReturn($configDataMock);
+        $this->generator->expects($this->once())->method('createXFrameConfig')->willReturn($configDataMock);
         $configData = $this->object->createConfig([], $this->deploymentConfig);
-        $this->assertEquals(6, count($configData));
+        $this->assertEquals(7, count($configData));
     }
 
     public function testCreateOptionsWithOptionalNull()
@@ -95,7 +96,8 @@ public function testCreateOptionsWithOptionalNull()
         $this->generator->expects($this->once())->method('createDefinitionsConfig')->willReturn(null);
         $this->generator->expects($this->once())->method('createDbConfig')->willReturn($configDataMock);
         $this->generator->expects($this->once())->method('createResourceConfig')->willReturn($configDataMock);
+        $this->generator->expects($this->once())->method('createXFrameConfig')->willReturn($configDataMock);
         $configData = $this->object->createConfig([], $this->deploymentConfig);
-        $this->assertEquals(5, count($configData));
+        $this->assertEquals(6, count($configData));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,9 @@ class Http extends \Magento\Framework\HTTP\PhpEnvironment\Response`
`21`	`21`	`/** Format for expiration timestamp headers */`
`22`	`22`	`const EXPIRATION_TIMESTAMP_FORMAT = 'D, d M Y H:i:s T';`
`23`	`23`
	`24`	`+ /** X-FRAME-OPTIONS Header name */`
	`25`	`+ const HEADER_X_FRAME_OPT = 'X-Frame-Options';`
	`26`	`+`
`24`	`27`	`/** @var \Magento\Framework\Stdlib\CookieManagerInterface */`
`25`	`28`	`protected $cookieManager;`
`26`	`29`
`@@ -51,6 +54,17 @@ public function __construct(`
`51`	`54`	`$this->dateTime = $dateTime;`
`52`	`55`	`}`
`53`	`56`
	`57`	`+ /**`
	`58`	`+ * Sends the X-FRAME-OPTIONS header to protect against click-jacking`
	`59`	`+ *`
	`60`	`+ * @param string $value`
	`61`	`+ * @return void`
	`62`	`+ */`
	`63`	`+ public function setXFrameOptions($value)`
	`64`	`+ {`
	`65`	`+ $this->setHeader(self::HEADER_X_FRAME_OPT, $value);`
	`66`	`+ }`
	`67`	`+`
`54`	`68`	`/**`
`55`	`69`	`* Send Vary cookie`
`56`	`70`	`*`
`@@ -109,6 +123,7 @@ public function setPrivateHeaders($ttl)`
`109`	`123`	`* Set headers for no-cache responses`
`110`	`124`	`*`
`111`	`125`	`* @return void`
	`126`	`+ * @codeCoverageIgnore`
`112`	`127`	`*/`
`113`	`128`	`public function setNoCacheHeaders()`
`114`	`129`	`{`
`@@ -122,6 +137,7 @@ public function setNoCacheHeaders()`
`122`	`137`	`*`
`123`	`138`	`* @param string $content String in JSON format`
`124`	`139`	`* @return \Magento\Framework\App\Response\Http`
	`140`	`+ * @codeCoverageIgnore`
`125`	`141`	`*/`
`126`	`142`	`public function representJson($content)`
`127`	`143`	`{`
`@@ -131,6 +147,7 @@ public function representJson($content)`
`131`	`147`
`132`	`148`	`/**`
`133`	`149`	`* @return string[]`
	`150`	`+ * @codeCoverageIgnore`
`134`	`151`	`*/`
`135`	`152`	`public function __sleep()`
`136`	`153`	`{`
`@@ -141,6 +158,7 @@ public function __sleep()`
`141`	`158`	`* Need to reconstruct dependencies when being de-serialized.`
`142`	`159`	`*`
`143`	`160`	`* @return void`
	`161`	`+ * @codeCoverageIgnore`
`144`	`162`	`*/`
`145`	`163`	`public function __wakeup()`
`146`	`164`	`{`
`@@ -154,6 +172,7 @@ public function __wakeup()`
`154`	`172`	`*`
`155`	`173`	`* @param string $time`
`156`	`174`	`* @return string`
	`175`	`+ * @codeCoverageIgnore`
`157`	`176`	`*/`
`158`	`177`	`protected function getExpirationHeader($time)`
`159`	`178`	`{`
Original file line number	Diff line number	Diff line change
`@@ -271,4 +271,11 @@ public function testWakeUpWith()`
`271`	`271`	`\Magento\Framework\App\ObjectManager::setInstance($objectManagerMock);`
`272`	`272`	`$this->model->__wakeup();`
`273`	`273`	`}`
	`274`	`+`
	`275`	`+ public function testSetXFrameOptions()`
	`276`	`+ {`
	`277`	`+ $value = 'DENY';`
	`278`	`+ $this->model->setXFrameOptions($value);`
	`279`	`+ $this->assertSame($value, $this->model->getHeader(Http::HEADER_X_FRAME_OPT)->getFieldValue());`
	`280`	`+ }`
`274`	`281`	`}`
Original file line number	Diff line number	Diff line change
`@@ -158,6 +158,7 @@ public function createConfig(array $data, DeploymentConfig $deploymentConfig)`
`158`	`158`	`}`
`159`	`159`	`$configData[] = $this->configGenerator->createDbConfig($data);`
`160`	`160`	`$configData[] = $this->configGenerator->createResourceConfig();`
	`161`	`+ $configData[] = $this->configGenerator->createXFrameConfig();`
`161`	`162`	`return $configData;`
`162`	`163`	`}`
`163`	`164`