From afd88a2418efcef25058bf30df892471c3b68281 Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 6 Aug 2021 21:47:10 +0100 Subject: Allow setting X-FRAME-OPTIONS (#16643) * Allow setting X-FRAME-OPTIONS This PR provides a mechanism to set the X-FRAME-OPTIONS header. Fix #7951 Signed-off-by: Andrew Thornton * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: John Olheiser Co-authored-by: John Olheiser --- modules/context/api.go | 2 +- modules/context/context.go | 2 +- modules/setting/cors.go | 6 ++++-- 3 files changed, 6 insertions(+), 4 deletions(-) (limited to 'modules') diff --git a/modules/context/api.go b/modules/context/api.go index 8f1ed3f2ce..b543c8bac8 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) diff --git a/modules/context/context.go b/modules/context/context.go index 9d04fe3858..041b81c668 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfTokenHtml"] = template.HTML(``) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index d7856e8b23..4c7997d584 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -20,9 +20,11 @@ var ( Methods []string MaxAge time.Duration AllowCredentials bool + XFrameOptions string }{ - Enabled: false, - MaxAge: 10 * time.Minute, + Enabled: false, + MaxAge: 10 * time.Minute, + XFrameOptions: "SAMEORIGIN", } ) -- cgit v1.2.3