From 84e64982f0d8f13ca67fb0fd7d965c59b04f2823 Mon Sep 17 00:00:00 2001 From: Romain Neutron Date: Mon, 22 Aug 2016 15:21:15 +0200 Subject: [PATCH] Fix ALLOW-FROM implementation --- CHANGELOG.md | 5 ++++- DependencyInjection/Configuration.php | 6 +++--- README.md | 4 ++-- Tests/Listener/ClickjackingListenerTest.php | 2 ++ 4 files changed, 11 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a239b937..6ef92b59 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +### 2.0.2 (2016-xx-xx) + * Fix typo in the ALLOW-FROM implementation + ### 2.0.1 (2016-06-04) * Fix CookieSessionHandler::open that should return true unless there's an error @@ -46,7 +49,7 @@ ### 1.5.0 (2015-01-01) * Added ability to have different configs for both reported and enforced CSP rules - * Added support for ALLOW and ALLOW FROM syntaxes in the Clickjacking Protection + * Added support for ALLOW and ALLOW-FROM syntaxes in the Clickjacking Protection * Added support for HHVM and PHP 5.6 * Fixed enabling of cookie signing when the cookie list is empty diff --git a/DependencyInjection/Configuration.php b/DependencyInjection/Configuration.php index 80c4e88f..72a56778 100644 --- a/DependencyInjection/Configuration.php +++ b/DependencyInjection/Configuration.php @@ -67,7 +67,7 @@ public function getConfigTreeBuilder() $v = array('header' => $v ?: 'DENY'); } if (isset($v['header'])) { - $v['header'] = preg_replace_callback('{^(?:ALLOW|DENY|SAMEORIGIN)(?: FROM)?}i', function ($m) { return strtoupper($m[0]); }, $v['header']); + $v['header'] = preg_replace_callback('{^(?:ALLOW|DENY|SAMEORIGIN|ALLOW-FROM)?}i', function ($m) { return strtoupper($m[0]); }, $v['header']); } return $v; @@ -76,9 +76,9 @@ public function getConfigTreeBuilder() ->validate() ->ifTrue(function ($v) { return isset($v['header']) && !in_array($v['header'], array('DENY', 'SAMEORIGIN', 'ALLOW'), true) - && !preg_match('{^ALLOW FROM \S+}', $v['header']); + && !preg_match('{^ALLOW-FROM \S+}', $v['header']); }) - ->thenInvalid('Possible header values are DENY, SAMEORIGIN, ALLOW and ALLOW FROM [url], got: %s') + ->thenInvalid('Possible header values are DENY, SAMEORIGIN, ALLOW and ALLOW-FROM [url], got: %s') ->end() ->children() ->scalarNode('header')->defaultValue('DENY')->end() diff --git a/README.md b/README.md index c09ef46a..f2441d9e 100644 --- a/README.md +++ b/README.md @@ -389,7 +389,7 @@ supports the `ALLOW` option which skips the creation of the header for the match want to whitelist a few URLs and then DENY everything else. One more option, as of yet [not well supported](https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options), -is to use `ALLOW FROM uri` where `uri` can be any origin URL, from +is to use `ALLOW-FROM uri` where `uri` can be any origin URL, from `example.org` to `https://example.org:123/sub/path`. This lets you specify exactly which domain can embed your site, in case you have a multi-domain setup. @@ -410,7 +410,7 @@ nelmio_security: clickjacking: paths: '^/iframes/': ALLOW - '^/business/': 'ALLOW FROM https://biz.example.org' + '^/business/': 'ALLOW-FROM https://biz.example.org' '^/local/': SAMEORIGIN '^/.*': DENY content_types: [] diff --git a/Tests/Listener/ClickjackingListenerTest.php b/Tests/Listener/ClickjackingListenerTest.php index 58e8e9fc..ae45d551 100644 --- a/Tests/Listener/ClickjackingListenerTest.php +++ b/Tests/Listener/ClickjackingListenerTest.php @@ -28,6 +28,7 @@ protected function setUp() $this->listener = new ClickjackingListener(array( '^/frames/' => array('header' => 'ALLOW'), '/frames/' => array('header' => 'SAMEORIGIN'), + '/this/allow' => array('header' => 'ALLOW-FROM http://biz.domain.com'), '^/.*' => array('header' => 'DENY'), '.*' => array('header' => 'ALLOW'), )); @@ -49,6 +50,7 @@ public function provideClickjackingMatches() array('/', 'DENY'), array('/test', 'DENY'), array('/frames/foo', null), + array('/this/allow', 'ALLOW-FROM http://biz.domain.com'), array('/sub/frames/foo', 'SAMEORIGIN'), ); }