Merge pull request #1391 from daniel-beck/JENKINS-21881

[FIXED JENKINS-21881] System property for disabling X-Frame-Options

Merge pull request #1391 from daniel-beck/JENKINS-21881
[FIXED JENKINS-21881] System property for disabling X-Frame-Options
852ba85c · Daniel Beck · 598aea43 · 3b5564a4 · 852ba85c · 852ba85c
4 changed file
--- a/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
+++ b/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
+package jenkins.security;
+
+import hudson.Extension;
+import hudson.model.PageDecorator;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Adds the 'X-Frame-Options' header to all web pages.
+ *
+ * @since TODO
+ */
+@Extension(ordinal = 1000)
+public class FrameOptionsPageDecorator extends PageDecorator {
+    @Restricted(NoExternalUse.class)
+    public static boolean enabled = Boolean.valueOf(System.getProperty(FrameOptionsPageDecorator.class.getName() + ".enabled", "true"));
+}
--- a/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
+++ b/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
+    <j:if test="${it.enabled}">
+        <st:header name="X-Frame-Options" value="sameorigin"/>
+    </j:if>
+</j:jelly>
\ No newline at end of file
--- a/core/src/main/resources/lib/layout/layout.jelly
+++ b/core/src/main/resources/lib/layout/layout.jelly
@@ -56,7 +56,6 @@ THE SOFTWARE.
 <st:setHeader name="Expires" value="0" />
 <st:setHeader name="Cache-Control" value="no-cache,no-store,must-revalidate" />
 <st:setHeader name="X-Hudson-Theme" value="default" />
-<st:setHeader name="X-Frame-Options" value="sameorigin" />
 <st:contentType value="text/html;charset=UTF-8" />

  <j:new var="h" className="hudson.Functions" /><!-- instead of JSP functions -->

--- a/test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
+++ b/test/src/test/java/jenkins/security/FrameOptionsPageDecoratorTest.java
+package jenkins.security;
+
+import com.gargoylesoftware.htmlunit.WebResponse;
+import com.gargoylesoftware.htmlunit.html.HtmlPage;
+import org.apache.commons.httpclient.NameValuePair;
+import org.junit.Assert;
+import org.junit.Rule;
+import org.junit.Test;
+import org.jvnet.hudson.test.JenkinsRule;
+import org.xml.sax.SAXException;
+
+import java.io.IOException;
+
+public class FrameOptionsPageDecoratorTest {
+    @Rule
+    public JenkinsRule j = new JenkinsRule();
+
+    @Test
+    public void defaultHeaderPresent() throws IOException, SAXException {
+        JenkinsRule.WebClient wc = j.createWebClient();
+        HtmlPage page = wc.goTo("");
+        Assert.assertEquals("Expected different X-Frame-Options value", getFrameOptionsFromResponse(page.getWebResponse()), "sameorigin");
+    }
+
+    @Test
+    public void testDisabledFrameOptions() throws IOException, SAXException {
+        FrameOptionsPageDecorator.enabled = false;
+        JenkinsRule.WebClient wc = j.createWebClient();
+        HtmlPage page = wc.goTo("");
+        Assert.assertNull("Expected X-Frame-Options unset", getFrameOptionsFromResponse(page.getWebResponse()));
+    }
+
+    private static String getFrameOptionsFromResponse(WebResponse response) {
+        for (NameValuePair pair : response.getResponseHeaders()) {
+            if (pair.getName().equals("X-Frame-Options")) {
+                return pair.getValue();
+            }
+        }
+        return null;
+    }
+}