Allow setting X-FRAME-OPTIONS (#16643)

* Allow setting X-FRAME-OPTIONS

This PR provides a mechanism to set the X-FRAME-OPTIONS header.

Fix #7951

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md

Co-authored-by: John Olheiser <john.olheiser@gmail.com>

Co-authored-by: John Olheiser <john.olheiser@gmail.com>

3 files changed, 6 insertions, 4 deletions

diff --git a/modules/context/api.go b/modules/context/api.go
index 8f1ed3f2ce..b543c8bac8 100644
--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
 				}
 			}
 
-			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
 			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
 
diff --git a/modules/context/context.go b/modules/context/context.go
index 9d04fe3858..041b81c668 100644
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
 				}
 			}
 
-			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
 
 			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
 			ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
diff --git a/modules/setting/cors.go b/modules/setting/cors.go
index d7856e8b23..4c7997d584 100644
--- a/modules/setting/cors.go
+++ b/modules/setting/cors.go
@@ -20,9 +20,11 @@ var (
 		Methods          []string
 		MaxAge           time.Duration
 		AllowCredentials bool
+		XFrameOptions    string
 	}{
-		Enabled: false,
-		MaxAge:  10 * time.Minute,
+		Enabled:       false,
+		MaxAge:        10 * time.Minute,
+		XFrameOptions: "SAMEORIGIN",
 	}
 )