diff options
| author | Gervase Markham <gerv@gerv.net> | 2013-11-27 19:02:11 +0100 |
|---|---|---|
| committer | Gervase Markham <gerv@mozilla.org> | 2013-11-27 19:02:11 +0100 |
| commit | e21cee47ced69277073d3d2395e8a7cb64e71c14 (patch) | |
| tree | 7f3a72f12ff4653f5c9d13e692d3d3e5944e895e /Bugzilla | |
| parent | fc11e1a8d7e0ca1f07fbb89dfb77df186a8bf757 (diff) | |
| download | bugzilla-e21cee47ced69277073d3d2395e8a7cb64e71c14.tar.gz bugzilla-e21cee47ced69277073d3d2395e8a7cb64e71c14.tar.xz | |
Bug 938596 - Add hook for modifying HTTP headers. r=LpSolit.
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/CGI.pm | 28 | ||||
| -rw-r--r-- | Bugzilla/Hook.pm | 27 |
2 files changed, 46 insertions, 9 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 05863bf02..c7997ba18 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -15,6 +15,7 @@ use parent qw(CGI); use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::Util; +use Bugzilla::Hook; use Bugzilla::Search::Recent; use File::Basename; @@ -275,19 +276,23 @@ sub multipart_start { sub header { my $self = shift; + my %headers; + # If there's only one parameter, then it's a Content-Type. if (scalar(@_) == 1) { - # Since we're adding parameters below, we have to name it. - unshift(@_, '-type' => shift(@_)); + %headers = ('-type' => shift(@_)); + } + else { + %headers = @_; } if ($self->{'_content_disp'}) { - unshift(@_, '-content_disposition' => $self->{'_content_disp'}); + $headers{'-content_disposition'} = $self->{'_content_disp'}; } # Add the cookies in if we have any if (scalar(@{$self->{Bugzilla_cookie_list}})) { - unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list}); + $headers{'-cookie'} = $self->{Bugzilla_cookie_list}; } # Add Strict-Transport-Security (STS) header if this response @@ -301,24 +306,29 @@ sub header { { $sts_opts .= '; includeSubDomains'; } - unshift(@_, '-strict_transport_security' => $sts_opts); + + $headers{'-strict_transport_security'} = $sts_opts; } # Add X-Frame-Options header to prevent framing and subsequent # possible clickjacking problems. unless ($self->url_is_attachment_base) { - unshift(@_, '-x_frame_options' => 'SAMEORIGIN'); + $headers{'-x_frame_options'} = 'SAMEORIGIN'; } # Add X-XSS-Protection header to prevent simple XSS attacks # and enforce the blocking (rather than the rewriting) mode. - unshift(@_, '-x_xss_protection' => '1; mode=block'); + $headers{'-x_xss_protection'} = '1; mode=block'; # Add X-Content-Type-Options header to prevent browsers sniffing # the MIME type away from the declared Content-Type. - unshift(@_, '-x_content_type_options' => 'nosniff'); + $headers{'-x_content_type_options'} = 'nosniff'; + + Bugzilla::Hook::process('cgi_headers', + { cgi => $self, headers => \%headers } + ); - return $self->SUPER::header(@_) || ""; + return $self->SUPER::header(%headers) || ""; } sub param { diff --git a/Bugzilla/Hook.pm b/Bugzilla/Hook.pm index 4c8933b16..e6a0ba283 100644 --- a/Bugzilla/Hook.pm +++ b/Bugzilla/Hook.pm @@ -641,6 +641,33 @@ spaces. =back +=head2 cgi_headers + +This allows you to modify the HTTP headers sent out on every Bugzilla +response. + +Params: + +=over + +=item C<headers> + +A hashref, where the keys are header names and the values are header +values. Keys need to be lower-case, and begin with a "-". If you use +the "_" character it will be converted to "-", and the library will +also fix the casing to Camel-Case. + +You can delete (some) headers that Bugzilla adds by deleting entries +from the hash. + +=item C<cgi> + +The CGI object, which may tell you useful things about the response on +which to base a decision of whether or not to add a header. + +=back + + =head2 config_add_panels If you want to add new panels to the Parameters administrative interface, |