GHSA-4jp3-q2qm-9fmw

### Impact

It is possible for a page controlled by an attacker to load the website within an iframe. This will enable a clickjacking attack, in which the attacker's page overlays the target application's interface with a different interface provided by the attacker

### Patches

The issue is fixed in versions: 1.9.10, 1.10.11, 1.11.2, and above.

### Workarounds

Every response from app should have an X-Frame-Options header set to: ``sameorigin``. To achieve that you just need to add a new **subscriber** in your app.

```php
<?php

// src/EventListener/XFrameOptionsSubscriber.php

namespace App\EventListener

final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}

public function onKernelResponse(ResponseEvent $event): void
{
if (!$this->isMainRequest($event)) {
return;
}

$response = $event->getResponse();

$response->headers->set('X-Frame-Options', 'sameorigin');
}

private function isMainRequest(ResponseEvent $event): bool
{
if (\method_exists($event, 'isMainRequest')) {
return $event->isMainRequest();
}

return $event->isMasterRequest();
}
}

```

And register it in the container:

```yaml
# config/services.yaml
services:
# ...
App\EventListener\XFrameOptionsSubscriber:
tags: ['kernel.event_subscriber']
```

### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Sylius issues](https://github.com/Sylius/Sylius/issues)
* Email us at [[email protected]](mailto:[email protected])