XFrameOptions work around see BT#10217

10 years ago · c82ed131ea
parent c0f16b4715
commit c82ed131ea
4 changed files with 58 additions and 0 deletions
--- a/main/newscorm/blank.php
+++ b/main/newscorm/blank.php
@ -31,6 +31,17 @@ if (isset($_GET['error'])) {
            echo '<br /><br />';
            Display::display_warning_message(get_lang('ReachedOneAttempt'));
            break;
+        case 'x_frames_options':
+            if (isset($_SESSION['x_frame_source'])) {
+                $src = $_SESSION['x_frame_source'];
+                echo Display::return_message(
+                    Display::url($src, $src, ['target' => '_blank']),
+                    'normal',
+                    false
+                );
+                unset($_SESSION['x_frame_source']);
+            }
+            break;
        default:
            break;
    }
--- a/main/newscorm/learnpath.class.php
+++ b/main/newscorm/learnpath.class.php
@ -9872,6 +9872,50 @@ EOD;

        return false;
    }
+
+    /**
+     * Check if URL is not allowed to be show in a iframe
+     * @param string $src
+     *
+     * @return string
+     */
+    public function checkXFrameOptions($src)
+    {
+        if (strpos($src, api_get_path(WEB_CODE_PATH)) === false) {
+            // Check X-Frame-Options
+            $ch = curl_init();
+
+            $options = array(
+                CURLOPT_URL => $src,
+                CURLOPT_RETURNTRANSFER => true,
+                CURLOPT_HEADER => true,
+                CURLOPT_FOLLOWLOCATION => true,
+                CURLOPT_ENCODING => "",
+                CURLOPT_AUTOREFERER => true,
+                CURLOPT_CONNECTTIMEOUT => 120,
+                CURLOPT_TIMEOUT => 120,
+                CURLOPT_MAXREDIRS => 10,
+            );
+            curl_setopt_array($ch, $options);
+            $response = curl_exec($ch);
+            $httpCode = curl_getinfo($ch);
+            $headers = substr($response, 0, $httpCode['header_size']);
+
+            $error = false;
+            if (stripos($headers, 'X-Frame-Options: DENY') > -1 ||
+                stripos($headers, 'X-Frame-Options: SAMEORIGIN')>-1
+            ) {
+                $error = true;
+            }
+
+            if ($error) {
+                $_SESSION['x_frame_source'] = $src;
+                $src = 'blank.php?error=x_frames_options';
+            }
+        }
+
+        return $src;
+    }
 }

 if (!function_exists('trim_value')) {
--- a/main/newscorm/lp_content.php
+++ b/main/newscorm/lp_content.php
@ -59,6 +59,7 @@ if ($dokeos_chapter) {
            } else {
                $src = 'blank.php?error=prerequisites';
            }
+            $src = $_SESSION['oLP']->checkXFrameOptions($src);
            break;
        case 2:
            $_SESSION['oLP']->stop_previous_item();
--- a/main/newscorm/lp_view.php
+++ b/main/newscorm/lp_view.php
@ -167,6 +167,8 @@ if (!isset($src)) {
                ) {
                    $src = api_get_path(WEB_CODE_PATH).'newscorm/lp_view_item.php?lp_item_id='.$lp_item_id.'&'.api_get_cidreq();
                }
+
+                $src = $_SESSION['oLP']->checkXFrameOptions($src);
                $_SESSION['oLP']->start_current_item(); // starts time counter manually if asset
            } else {
                $src = 'blank.php?error=prerequisites';