You are here

Home » API reference » Security Kit 8 » SecKitEventSubscriber.php » SecKitEventSubscriber

public function SecKitEventSubscriber::seckitXframe in Security Kit 8

Same name and namespace in other branches
  1. 2.x src/EventSubscriber/SecKitEventSubscriber.php \Drupal\seckit\EventSubscriber\SecKitEventSubscriber::seckitXframe()

Sends X-Frame-Options HTTP header.

X-Frame-Options controls should browser show frames or not. More information can be found at initial article about it at http://blogs.msdn.com/ie/archive/2009/01/27/ie8-security-part-vii-clickj....

Implementation of X-Frame-Options is based on specification draft availabe at http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-01.

1 call to SecKitEventSubscriber::seckitXframe()
SecKitEventSubscriber::onKernelResponse in src/EventSubscriber/SecKitEventSubscriber.php
Executes actions on the response event.

File

src/EventSubscriber/SecKitEventSubscriber.php, line 338

Class

SecKitEventSubscriber
Subscribing an event.

Namespace

Drupal\seckit\EventSubscriber

Code

public function seckitXframe($setting, $event) {
  switch ($setting) {
    case SeckitInterface::X_FRAME_SAMEORIGIN:

      // Set X-Frame-Options to SAMEORIGIN.
      $this->response->headers
        ->set('X-Frame-Options', 'SAMEORIGIN');
      break;
    case SeckitInterface::X_FRAME_DENY:

      // Set X-Frame-Options to DENY.
      $this->response->headers
        ->set('X-Frame-Options', 'DENY');
      break;
    case SeckitInterface::X_FRAME_ALLOW_FROM:

      // If this request's Origin is allowed, we specify that value.
      // If the origin is not allowed, we can use any other value to prevent
      // the client from framing the page.
      $allowed_from = $this->config
        ->get('seckit_clickjacking.x_frame_allow_from');
      $values = explode("\n", $allowed_from);
      $allowed = array_values(array_filter(array_map('trim', $values)));
      $origin = $event
        ->getRequest()->headers
        ->get('Origin');
      if (!in_array($origin, $allowed, TRUE)) {
        $origin = array_pop($allowed);
      }
      $this->response->headers
        ->set('X-Frame-Options', "ALLOW-FROM {$origin}");
      break;
    case SeckitInterface::X_FRAME_DISABLE:

      // Make sure Drupal core does not set the header either.
      // See Drupal\Core\EventSubscriber\FinishResponseSubscriber.
      $this->response->headers
        ->remove('X-Frame-Options');
      break;
  }
}