/* Custom CSP policy, changing this will overwrite the standard policy */
"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
+/* Enable/disable X-Frame-Restriction */
+/* HIGH SECURITY RISK IF DISABLED*/
+"xframe_restriction" => true,
+
/* The directory where the user data is stored, default to data in the owncloud
* directory. The sqlite database is also stored here, when sqlite is used.
*/
$this->l10n = OC_L10N::get($parts[0]);
// Some headers to enhance security
- header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
+ // iFrame Restriction Policy
+ $xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+ if($xFramePolicy) {
+ header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+ }
+
// Content Security Policy
// If you change the standard policy, please also change it in config.sample.php
$policy = OC_Config::getValue('custom_csp_policy',