Commit c8a0c7c9 authored by webchick's avatar webchick
Browse files

Issue #2514136 by pwolanin, Fabianx: Add default clickjacking defense to core

parent 2710ccd0
......@@ -113,6 +113,7 @@ public function onRespond(FilterResponseEvent $event) {
// XSS and other vulnerabilities.
$response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
$response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
// Expose the cache contexts and cache tags associated with this page in a
// X-Drupal-Cache-Contexts and X-Drupal-Cache-Tags header respectively.
......@@ -40,7 +40,7 @@ public function testFinishResponseSubscriber() {
$this->assertEqual($headers['x-ua-compatible'], 'IE=edge');
$this->assertEqual($headers['content-language'], 'en');
$this->assertEqual($headers['x-content-type-options'], 'nosniff');
$this->assertEqual($headers['x-frame-options'], 'SAMEORIGIN');
$this->assertRaw('test2', 'The correct string was returned because the route was successful.');
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment