Bug 938596 - Add hook for modifying HTTP headers. r=LpSolit.

e21cee47 · Gervase Markham · Gervase Markham · fc11e1a8 · e21cee47 · e21cee47
Commit e21cee47 authored Nov 27, 2013 by Gervase Markham Committed by Gervase Markham Nov 27, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 53 additions and 9 deletions

CGI.pm Bugzilla/CGI.pm +19 -9

Hook.pm Bugzilla/Hook.pm +27 -0

Extension.pm extensions/Example/Extension.pm +7 -0

No files found.
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -15,6 +15,7 @@ use parent qw(CGI);
 use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Util;
+use Bugzilla::Hook;
 use Bugzilla::Search::Recent;

 use File::Basename;
@@ -275,19 +276,23 @@ sub multipart_start {
 sub header {
    my $self = shift;

+    my %headers;
+   
    # If there's only one parameter, then it's a Content-Type.
    if (scalar(@_) == 1) {
-        # Since we're adding parameters below, we have to name it.
-        unshift(@_, '-type' => shift(@_));
+        %headers = ('-type' => shift(@_));
+    }
+    else {
+        %headers = @_;
    }

    if ($self->{'_content_disp'}) {
-        unshift(@_, '-content_disposition' => $self->{'_content_disp'});
+        $headers{'-content_disposition'} = $self->{'_content_disp'};
    }

    # Add the cookies in if we have any
    if (scalar(@{$self->{Bugzilla_cookie_list}})) {
-        unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
+        $headers{'-cookie'} = $self->{Bugzilla_cookie_list};
    }

    # Add Strict-Transport-Security (STS) header if this response
@@ -301,24 +306,29 @@ sub header {
        {
            $sts_opts .= '; includeSubDomains';
        }
-        unshift(@_, '-strict_transport_security' => $sts_opts);
+        
+        $headers{'-strict_transport_security'} = $sts_opts;
    }

    # Add X-Frame-Options header to prevent framing and subsequent
    # possible clickjacking problems.
    unless ($self->url_is_attachment_base) {
-        unshift(@_, '-x_frame_options' => 'SAMEORIGIN');
+        $headers{'-x_frame_options'} = 'SAMEORIGIN';
    }

    # Add X-XSS-Protection header to prevent simple XSS attacks
    # and enforce the blocking (rather than the rewriting) mode.
-    unshift(@_, '-x_xss_protection' => '1; mode=block');
+    $headers{'-x_xss_protection'} = '1; mode=block';

    # Add X-Content-Type-Options header to prevent browsers sniffing
    # the MIME type away from the declared Content-Type.
-    unshift(@_, '-x_content_type_options' => 'nosniff');
+    $headers{'-x_content_type_options'} = 'nosniff';
+
+    Bugzilla::Hook::process('cgi_headers',
+        { cgi => $self, headers => \%headers }
+    );

-    return $self->SUPER::header(@_) || "";
+    return $self->SUPER::header(%headers) || "";
 }

 sub param {

--- a/Bugzilla/Hook.pm
+++ b/Bugzilla/Hook.pm
@@ -641,6 +641,33 @@ spaces.
 =back


+=head2 cgi_headers
+
+This allows you to modify the HTTP headers sent out on every Bugzilla
+response.
+
+Params:
+
+=over
+
+=item C<headers>
+
+A hashref, where the keys are header names and the values are header
+values. Keys need to be lower-case, and begin with a "-". If you use
+the "_" character it will be converted to "-", and the library will
+also fix the casing to Camel-Case.
+
+You can delete (some) headers that Bugzilla adds by deleting entries
+from the hash.
+
+=item C<cgi>
+
+The CGI object, which may tell you useful things about the response on
+which to base a decision of whether or not to add a header.
+
+=back
+
+
 =head2 config_add_panels

 If you want to add new panels to the Parameters administrative interface,

--- a/extensions/Example/Extension.pm
+++ b/extensions/Example/Extension.pm
@@ -336,6 +336,13 @@ sub bugmail_relationships {
    $relationships->{+REL_EXAMPLE} = 'Example';
 }

+sub cgi_headers {
+    my ($self, $args) = @_;
+	my $headers = $args->{'headers'};
+	
+	$headers->{'-x_test_header'} = "Test header from Example extension";
+}
+
 sub config_add_panels {
    my ($self, $args) = @_;