From 9a2b7bd462ea69393d349fedaa64cd52d849166b Mon Sep 17 00:00:00 2001
From: Kentaro Ohkouchi <nanasess@fsm.ne.jp>
Date: Fri, 31 May 2019 18:29:38 +0900
Subject: [PATCH] =?UTF-8?q?=E3=82=BB=E3=82=AD=E3=83=A5=E3=83=AA=E3=83=86?=
 =?UTF-8?q?=E3=82=A3=E9=96=A2=E9=80=A3=E3=81=AE=E3=83=98=E3=83=83=E3=83=80?=
 =?UTF-8?q?=E5=87=BA=E5=8A=9B=E3=82=92=20PHP=20=E3=81=8B=E3=82=89=E9=80=81?=
 =?UTF-8?q?=E4=BF=A1=E3=81=99=E3=82=8B=E3=82=88=E3=81=86=E4=BF=AE=E6=AD=A3?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- see also
  - https://github.com/EC-CUBE/eccube-2_13/issues/48
  - https://github.com/EC-CUBE/eccube-2_13/issues/49
  - https://github.com/EC-CUBE/eccube-2_13/pull/206
- X-Frame-Options DENY の影響で phpinfo が表示されなかったのを修正
---
 data/class/pages/LC_Page.php                        | 13 +++++++++++++
 data/class/pages/admin/LC_Page_Admin.php            |  1 +
 .../admin/system/LC_Page_Admin_System_System.php    | 10 ++++++++++
 html/.htaccess                                      |  6 ------
 4 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/data/class/pages/LC_Page.php b/data/class/pages/LC_Page.php
index 8339f0118a..090f01b2ae 100644
--- a/data/class/pages/LC_Page.php
+++ b/data/class/pages/LC_Page.php
@@ -89,6 +89,7 @@ class LC_Page
      */
     public function init()
     {
+        $this->sendAdditionalHeader();
         // 開始時刻を設定する。
         $this->timeStart = microtime(true);
 
@@ -510,4 +511,16 @@ public function checkLimitPostMode()
             trigger_error($msg, E_USER_ERROR);
         }
     }
+
+    /**
+     * 追加の HTTP ヘッダを送信する.
+     *
+     * 主にセキュリティ関連のヘッダを送信する.
+     */
+    public function sendAdditionalHeader()
+    {
+        header('X-XSS-Protection: 1; mode=block');
+        header('X-Content-Type-Options: nosniff');
+        header('X-Frame-Options: DENY');
+    }
 }
diff --git a/data/class/pages/admin/LC_Page_Admin.php b/data/class/pages/admin/LC_Page_Admin.php
index 15d0df5e70..0b504deec8 100644
--- a/data/class/pages/admin/LC_Page_Admin.php
+++ b/data/class/pages/admin/LC_Page_Admin.php
@@ -43,6 +43,7 @@ class LC_Page_Admin extends LC_Page_Ex
      */
     public function init()
     {
+        $this->sendAdditionalHeader();
         $this->template = MAIN_FRAME;
 
         //IP制限チェック
diff --git a/data/class/pages/admin/system/LC_Page_Admin_System_System.php b/data/class/pages/admin/system/LC_Page_Admin_System_System.php
index 53cb16a5d5..23cb9fcdd8 100644
--- a/data/class/pages/admin/system/LC_Page_Admin_System_System.php
+++ b/data/class/pages/admin/system/LC_Page_Admin_System_System.php
@@ -128,4 +128,14 @@ public function getSystemInfo()
 
         return $arrSystemInfo;
     }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function sendAdditionalHeader()
+    {
+        header('X-XSS-Protection: 1; mode=block');
+        header('X-Content-Type-Options: nosniff');
+        header('X-Frame-Options: SAMEORIGIN');
+    }
 }
diff --git a/html/.htaccess b/html/.htaccess
index 668bd6ec04..b75d73c0c0 100644
--- a/html/.htaccess
+++ b/html/.htaccess
@@ -1,9 +1,3 @@
-<ifModule mod_headers.c>
-Header always set X-XSS-Protection "1; mode=block"
-Header always set X-Content-Type-Options "nosniff"
-Header always set X-Frame-Options DENY
-</ifModule>
-
 # 基本は SC_Initial.php で設定するが、ini_setで反映されないものはここで設定する
 <IfModule mod_php5.c>
 php_value mbstring.language Japanese