Allow setting X-FRAME-OPTIONS (#16643)

* Allow setting X-FRAME-OPTIONS

This PR provides a mechanism to set the X-FRAME-OPTIONS header.

Fix #7951

Signed-off-by: Andrew Thornton <art27@cantab.net>
* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
Co-authored-by: John Olheiser <john.olheiser@gmail.com>

diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini
index 6ea31586a74d5bd77b726271b08371a7e8a5e8cf..44516b5e64d5cfc280e36df293f0262aac519a57 100644 (file)
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -993,6 +993,9 @@ PATH =
 ;;
 ;; allow request with credentials
 ;ALLOW_CREDENTIALS = false
+;;
+;; set X-FRAME-OPTIONS header
+;X_FRAME_OPTIONS = SAMEORIGIN
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
index 9c7bddc8eb7ebd8a7f097af5dc02637d7f3b8341..e94c3ece2a470ffc7fd2204f0fab826f1dc679f0 100644 (file)
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
 
 ## UI (`ui`)
 

diff --git a/modules/context/api.go b/modules/context/api.go
index 8f1ed3f2ce2dcc48d40a6a1247ea9ddb04f701ad..b543c8bac826d57a4de7d18de816beb9de1b94ed 100644 (file)
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
                                }
                        }
 
-                       ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+                       ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
                        ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
 

diff --git a/modules/context/context.go b/modules/context/context.go
index 9d04fe3858886159cc17a9d319653d1c93071a3a..041b81c66851d1fd20000cfc28d2d26701ff6173 100644 (file)
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
                                }
                        }
 
-                       ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+                       ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
                        ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
                        ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)

diff --git a/modules/setting/cors.go b/modules/setting/cors.go
index d7856e8b23f80bd6ffd9be0483e1d8032b9af324..4c7997d584e4004b4cafde1bbac723a74f25b682 100644 (file)
--- a/modules/setting/cors.go
+++ b/modules/setting/cors.go
@@ -20,9 +20,11 @@ var (
                Methods          []string
                MaxAge           time.Duration
                AllowCredentials bool
+               XFrameOptions    string
        }{
-               Enabled: false,
-               MaxAge:  10 * time.Minute,
+               Enabled:       false,
+               MaxAge:        10 * time.Minute,
+               XFrameOptions: "SAMEORIGIN",
        }
 )
 

diff --git a/routers/install/routes.go b/routers/install/routes.go
index 36130d4b3f3988941ed2f0437d6c9b4aed63ec7a..e9aca85d8edd6d3bd0b6aacab5c5d4c2ef03480a 100644 (file)
--- a/routers/install/routes.go
+++ b/routers/install/routes.go
@@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler {
                                                "SignedUserName": "",
                                        }
 
-                                       w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+                                       w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
                                        if !setting.IsProd() {
                                                store["ErrorMsg"] = combinedErr

diff --git a/routers/web/base.go b/routers/web/base.go
index f079be51f046a738ea75631056c03c29936ef85f..9238ea217317aa7b85c3f6477e5b1b0a82eb388d 100644 (file)
--- a/routers/web/base.go
+++ b/routers/web/base.go
@@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler {
                                                store["SignedUserName"] = ""
                                        }
 
-                                       w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+                                       w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
                                        if !setting.IsProd() {
                                                store["ErrorMsg"] = combinedErr