Impact
It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker
Patches
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
Workarounds
Every response from app should have an X-Frame-Options header set to: sameorigin. To achieve that you just need to add a new subscriber in your app.
<?php
// src/EventListener/XFrameOptionsSubscriber.php
namespace App\EventListener
final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
public function onKernelResponse(ResponseEvent $event): void
{
if (!$this->isMainRequest($event)) {
return;
}
$response = $event->getResponse();
$response->headers->set('X-Frame-Options', 'sameorigin');
}
private function isMainRequest(ResponseEvent $event): bool
{
if (\method_exists($event, 'isMainRequest')) {
return $event->isMainRequest();
}
return $event->isMasterRequest();
}
}And register it in the container:
# config/services.yaml
services:
# ...
App\EventListener\XFrameOptionsSubscriber:
tags: ['kernel.event_subscriber']For more information
If you have any questions or comments about this advisory:
Impact
It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker
Patches
The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.
Workarounds
Every response from app should have an X-Frame-Options header set to:
sameorigin. To achieve that you just need to add a new subscriber in your app.And register it in the container:
For more information
If you have any questions or comments about this advisory: