Allow setting X-FRAME-OPTIONS (#16643)

* Allow setting X-FRAME-OPTIONS This PR provides a mechanism to set the X-FRAME-OPTIONS header. Fix #7951 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
2025-11-04 16:40:24 +08:00 · 2021-08-06 21:47:10 +01:00
parent 067d82b5a6
commit afd88a2418
7 changed files with 12 additions and 6 deletions
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -993,6 +993,9 @@ PATH =
 ;;
 ;; allow request with credentials
 ;ALLOW_CREDENTIALS = false
+;;
+;; set X-FRAME-OPTIONS header
+;X_FRAME_OPTIONS = SAMEORIGIN

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
--- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md
+++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md
@@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
 - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
 - `MAX_AGE`: **10m**: max time to cache response
 - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
+- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.

 ## UI (`ui`)

--- a/modules/context/api.go
+++ b/modules/context/api.go
@@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
 				}
 			}

-			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)

 			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())

--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
 				}
 			}

-			ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)

 			ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
 			ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
--- a/modules/setting/cors.go
+++ b/modules/setting/cors.go
@@ -20,9 +20,11 @@ var (
 		Methods          []string
 		MaxAge           time.Duration
 		AllowCredentials bool
+		XFrameOptions    string
 	}{
-		Enabled: false,
-		MaxAge:  10 * time.Minute,
+		Enabled:       false,
+		MaxAge:        10 * time.Minute,
+		XFrameOptions: "SAMEORIGIN",
 	}
 )

--- a/routers/install/routes.go
+++ b/routers/install/routes.go
@@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler {
 						"SignedUserName": "",
 					}

-					w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+					w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)

 					if !setting.IsProd() {
 						store["ErrorMsg"] = combinedErr
--- a/routers/web/base.go
+++ b/routers/web/base.go
@@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler {
 						store["SignedUserName"] = ""
 					}

-					w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
+					w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)

 					if !setting.IsProd() {
 						store["ErrorMsg"] = combinedErr