ef85f49adc
Summary: This commit doesn't change license of any file. It just makes the license implicit (inherited from LICENSE file in the root directory). We are removing the headers for these reasons: - It wastes space in editors, less code is visible in editor upon opening a file. - It brings noise to diff of the first change of any file every year. - It confuses Git file copy detection when creating small files. - We don't have an explicit license header in other files (JS, CSS, images, documentation). - Using license header in every file is not obligatory: http://www.apache.org/dev/apply-license.html#new. This change is approved by Alma Chao (Lead Open Source and IP Counsel at Facebook). Test Plan: Verified that the license survived only in LICENSE file and that it didn't modify externals. Reviewers: epriestley, davidrecordon Reviewed By: epriestley CC: aran, Korvin Maniphest Tasks: T2035 Differential Revision: https://secure.phabricator.com/D3886
128 lines
3.2 KiB
PHP
128 lines
3.2 KiB
PHP
<?php
|
|
|
|
/**
|
|
* @group aphront
|
|
*/
|
|
abstract class AphrontResponse {
|
|
|
|
private $request;
|
|
private $cacheable = false;
|
|
private $responseCode = 200;
|
|
private $lastModified = null;
|
|
|
|
protected $frameable;
|
|
|
|
public function setRequest($request) {
|
|
$this->request = $request;
|
|
return $this;
|
|
}
|
|
|
|
public function getRequest() {
|
|
return $this->request;
|
|
}
|
|
|
|
public function getHeaders() {
|
|
$headers = array();
|
|
if (!$this->frameable) {
|
|
$headers[] = array('X-Frame-Options', 'Deny');
|
|
}
|
|
|
|
return $headers;
|
|
}
|
|
|
|
public function setCacheDurationInSeconds($duration) {
|
|
$this->cacheable = $duration;
|
|
return $this;
|
|
}
|
|
|
|
public function setLastModified($epoch_timestamp) {
|
|
$this->lastModified = $epoch_timestamp;
|
|
return $this;
|
|
}
|
|
|
|
public function setHTTPResponseCode($code) {
|
|
$this->responseCode = $code;
|
|
return $this;
|
|
}
|
|
|
|
public function getHTTPResponseCode() {
|
|
return $this->responseCode;
|
|
}
|
|
|
|
public function setFrameable($frameable) {
|
|
$this->frameable = $frameable;
|
|
return $this;
|
|
}
|
|
|
|
protected function encodeJSONForHTTPResponse(array $object) {
|
|
|
|
$response = json_encode($object);
|
|
|
|
// Prevent content sniffing attacks by encoding "<" and ">", so browsers
|
|
// won't try to execute the document as HTML even if they ignore
|
|
// Content-Type and X-Content-Type-Options. See T865.
|
|
$response = str_replace(
|
|
array('<', '>'),
|
|
array('\u003c', '\u003e'),
|
|
$response);
|
|
|
|
return $response;
|
|
}
|
|
|
|
protected function addJSONShield($json_response) {
|
|
|
|
// Add a shield to prevent "JSON Hijacking" attacks where an attacker
|
|
// requests a JSON response using a normal <script /> tag and then uses
|
|
// Object.prototype.__defineSetter__() or similar to read response data.
|
|
// This header causes the browser to loop infinitely instead of handing over
|
|
// sensitive data.
|
|
|
|
$shield = 'for (;;);';
|
|
|
|
$response = $shield.$json_response;
|
|
|
|
return $response;
|
|
}
|
|
|
|
public function getCacheHeaders() {
|
|
$headers = array();
|
|
if ($this->cacheable) {
|
|
$headers[] = array(
|
|
'Expires',
|
|
$this->formatEpochTimestampForHTTPHeader(time() + $this->cacheable));
|
|
} else {
|
|
$headers[] = array(
|
|
'Cache-Control',
|
|
'private, no-cache, no-store, must-revalidate');
|
|
$headers[] = array(
|
|
'Pragma',
|
|
'no-cache');
|
|
$headers[] = array(
|
|
'Expires',
|
|
'Sat, 01 Jan 2000 00:00:00 GMT');
|
|
}
|
|
|
|
if ($this->lastModified) {
|
|
$headers[] = array(
|
|
'Last-Modified',
|
|
$this->formatEpochTimestampForHTTPHeader($this->lastModified));
|
|
}
|
|
|
|
// IE has a feature where it may override an explicit Content-Type
|
|
// declaration by inferring a content type. This can be a security risk
|
|
// and we always explicitly transmit the correct Content-Type header, so
|
|
// prevent IE from using inferred content types. This only offers protection
|
|
// on recent versions of IE; IE6/7 and Opera currently ignore this header.
|
|
$headers[] = array('X-Content-Type-Options', 'nosniff');
|
|
|
|
return $headers;
|
|
}
|
|
|
|
private function formatEpochTimestampForHTTPHeader($epoch_timestamp) {
|
|
return gmdate('D, d M Y H:i:s', $epoch_timestamp).' GMT';
|
|
}
|
|
|
|
abstract public function buildResponseString();
|
|
|
|
}
|