From c8a0c7c9c93e7c6d061811ca71fb65a4f527a7a2 Mon Sep 17 00:00:00 2001
From: webchick <drupal@webchick.net>
Date: Thu, 2 Jul 2015 00:23:35 -0700
Subject: [PATCH] Issue #2514136 by pwolanin, Fabianx: Add default clickjacking
 defense to core

---
 .../Drupal/Core/EventSubscriber/FinishResponseSubscriber.php    | 1 +
 core/modules/system/src/Tests/Routing/RouterTest.php            | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
index 13a0515328e..251b9205bba 100644
--- a/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
+++ b/core/lib/Drupal/Core/EventSubscriber/FinishResponseSubscriber.php
@@ -113,6 +113,7 @@ class FinishResponseSubscriber implements EventSubscriberInterface {
     // XSS and other vulnerabilities.
     // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
     $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
+    $response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);
 
     // Expose the cache contexts and cache tags associated with this page in a
     // X-Drupal-Cache-Contexts and X-Drupal-Cache-Tags header respectively.
diff --git a/core/modules/system/src/Tests/Routing/RouterTest.php b/core/modules/system/src/Tests/Routing/RouterTest.php
index 209336c2c0a..8fbc3f0a5fc 100644
--- a/core/modules/system/src/Tests/Routing/RouterTest.php
+++ b/core/modules/system/src/Tests/Routing/RouterTest.php
@@ -40,7 +40,7 @@ class RouterTest extends WebTestBase {
     $this->assertEqual($headers['x-ua-compatible'], 'IE=edge');
     $this->assertEqual($headers['content-language'], 'en');
     $this->assertEqual($headers['x-content-type-options'], 'nosniff');
-
+    $this->assertEqual($headers['x-frame-options'], 'SAMEORIGIN');
 
     $this->drupalGet('router_test/test2');
     $this->assertRaw('test2', 'The correct string was returned because the route was successful.');