From 088607803652d77ea80881890f044002d737c84e Mon Sep 17 00:00:00 2001
From: Ernest Warwas <ernest.warwas96@gmail.com>
Date: Wed, 2 Mar 2022 11:36:57 +0100
Subject: [PATCH] listener added to finish response with X-Frame-Options
 sameorigin header

---
 .../EventListener/FinishResponseListener.php  | 48 +++++++++++++++++++
 .../Resources/config/services/listeners.xml   |  4 ++
 tests/Controller/FinishResponseTest.php       | 29 +++++++++++
 3 files changed, 81 insertions(+)
 create mode 100644 src/Sylius/Bundle/CoreBundle/EventListener/FinishResponseListener.php
 create mode 100644 tests/Controller/FinishResponseTest.php

diff --git a/src/Sylius/Bundle/CoreBundle/EventListener/FinishResponseListener.php b/src/Sylius/Bundle/CoreBundle/EventListener/FinishResponseListener.php
new file mode 100644
index 00000000000..735ff4a88a7
--- /dev/null
+++ b/src/Sylius/Bundle/CoreBundle/EventListener/FinishResponseListener.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Paweł Jędrzejewski
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\Bundle\CoreBundle\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpKernel\Event\ResponseEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+
+final class FinishResponseListener implements EventSubscriberInterface
+{
+    public function onKernelResponse(ResponseEvent $event): void
+    {
+        if (!$this->isMainRequest($event)) {
+            return;
+        }
+
+        $response = $event->getResponse();
+
+        $response->headers->set('X-Frame-Options', 'sameorigin');
+    }
+
+    public static function getSubscribedEvents()
+    {
+        return [
+            KernelEvents::RESPONSE => [['onKernelResponse']],
+        ];
+    }
+
+    private function isMainRequest(ResponseEvent $event): bool
+    {
+        if (\method_exists($event, 'isMainRequest')) {
+            return $event->isMainRequest();
+        }
+
+        return $event->isMasterRequest();
+    }
+}
diff --git a/src/Sylius/Bundle/CoreBundle/Resources/config/services/listeners.xml b/src/Sylius/Bundle/CoreBundle/Resources/config/services/listeners.xml
index ef39f9b6ba5..9b1b97520b6 100644
--- a/src/Sylius/Bundle/CoreBundle/Resources/config/services/listeners.xml
+++ b/src/Sylius/Bundle/CoreBundle/Resources/config/services/listeners.xml
@@ -95,6 +95,10 @@
             <argument type="service" id="Sylius\Bundle\CoreBundle\EventListener\LocaleAwareListener.inner" />
         </service>
 
+        <service id="Sylius\Bundle\CoreBundle\EventListener\FinishResponseListener">
+            <tag name="kernel.event_subscriber" />
+        </service>
+
         <service id="sylius.listener.taxon_deletion" class="Sylius\Bundle\CoreBundle\EventListener\TaxonDeletionListener">
             <argument type="service" id="session" />
             <argument type="service" id="sylius.repository.channel" />
diff --git a/tests/Controller/FinishResponseTest.php b/tests/Controller/FinishResponseTest.php
new file mode 100644
index 00000000000..513780469f3
--- /dev/null
+++ b/tests/Controller/FinishResponseTest.php
@@ -0,0 +1,29 @@
+<?php
+
+/*
+ * This file is part of the Sylius package.
+ *
+ * (c) Paweł Jędrzejewski
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Sylius\Tests\Controller;
+
+use ApiTestCase\JsonApiTestCase;
+
+final class FinishResponseTest extends JsonApiTestCase
+{
+    /** @test */
+    public function it_sets_frame_options_header(): void
+    {
+        $this->client->request('GET', '/');
+
+        $response = $this->client->getResponse();
+
+        $this->assertSame('sameorigin', $response->headers->get('X-Frame-Options'));
+    }
+}