- xframe restriction configurable now

diff --git a/config/config.sample.php b/config/config.sample.php
index ec61ceefd6cd27167c5ba1a472f68caac5c4d1e9..7be99ee905d97574e244b758611a514b68bdd814 100644 (file)
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -138,6 +138,10 @@ $CONFIG = array(
 /* Custom CSP policy, changing this will overwrite the standard policy */
 "custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
 
+/* Enable/disable X-Frame-Restriction */
+/* HIGH SECURITY RISK IF DISABLED*/
+"xframe_restriction" => true,
+       
 /* The directory where the user data is stored, default to data in the owncloud
  * directory. The sqlite database is also stored here, when sqlite is used.
  */

diff --git a/lib/template.php b/lib/template.php
index f007618ff19e9f1b694b583816b6446fb48d6516..ad875359d7fec99908e07a80b8657d4764d5e2f7 100644 (file)
--- a/lib/template.php
+++ b/lib/template.php
@@ -186,10 +186,15 @@ class OC_Template{
                $this->l10n = OC_L10N::get($parts[0]);
 
                // Some headers to enhance security
-               header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
                header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
                header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 
+               // iFrame Restriction Policy
+               $xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+               if($xFramePolicy) {
+                       header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+               }
+               
                // Content Security Policy
                // If you change the standard policy, please also change it in config.sample.php
                $policy = OC_Config::getValue('custom_csp_policy',