[BUGFIX] Correct clickjacking header in backend 04/58804/8
authorChris Müller <typo3@krue.ml>
Tue, 30 Oct 2018 18:58:51 +0000 (19:58 +0100)
committerWouter Wolters <typo3@wouterwolters.nl>
Tue, 30 Oct 2018 21:16:41 +0000 (22:16 +0100)
The clickjacking header in the backend was not correctly set
according to
https://developer.mozilla.org/de/docs/Web/HTTP/Headers/X-Frame-Options

Resolves: #86808
Releases: master
Change-Id: I42aa89950122fb3a875f075b5966c83d8b69f1d9
Reviewed-on: https://review.typo3.org/58804
Tested-by: TYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack <benni@typo3.org>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Andreas Fernandez <a.fernandez@scripting-base.de>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
typo3/sysext/backend/Classes/Middleware/AdditionalResponseHeaders.php

index e5638a7..00cc568 100644 (file)
@@ -37,8 +37,9 @@ class AdditionalResponseHeaders implements MiddlewareInterface
     public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
     {
         $response = $handler->handle($request);
-        foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] ?? [] as $header => $value) {
-            $response = $response->withAddedHeader($header, $value);
+        foreach ($GLOBALS['TYPO3_CONF_VARS']['BE']['HTTP']['Response']['Headers'] ?? [] as $header) {
+            [$headerName, $value] = explode(':', $header, 2);
+            $response = $response->withAddedHeader($headerName, trim($value));
         }
         return $response;
     }