From afd88a2418efcef25058bf30df892471c3b68281 Mon Sep 17 00:00:00 2001 From: zeripath Date: Fri, 6 Aug 2021 21:47:10 +0100 Subject: [PATCH] Allow setting X-FRAME-OPTIONS (#16643) * Allow setting X-FRAME-OPTIONS This PR provides a mechanism to set the X-FRAME-OPTIONS header. Fix #7951 Signed-off-by: Andrew Thornton * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: John Olheiser Co-authored-by: John Olheiser --- custom/conf/app.example.ini | 3 +++ docs/content/doc/advanced/config-cheat-sheet.en-us.md | 1 + modules/context/api.go | 2 +- modules/context/context.go | 2 +- modules/setting/cors.go | 6 ++++-- routers/install/routes.go | 2 +- routers/web/base.go | 2 +- 7 files changed, 12 insertions(+), 6 deletions(-) diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 6ea31586a7..44516b5e64 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -993,6 +993,9 @@ PATH = ;; ;; allow request with credentials ;ALLOW_CREDENTIALS = false +;; +;; set X-FRAME-OPTIONS header +;X_FRAME_OPTIONS = SAMEORIGIN ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 9c7bddc8eb..e94c3ece2a 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials +- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) diff --git a/modules/context/api.go b/modules/context/api.go index 8f1ed3f2ce..b543c8bac8 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) diff --git a/modules/context/context.go b/modules/context/context.go index 9d04fe3858..041b81c668 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfTokenHtml"] = template.HTML(``) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index d7856e8b23..4c7997d584 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -20,9 +20,11 @@ var ( Methods []string MaxAge time.Duration AllowCredentials bool + XFrameOptions string }{ - Enabled: false, - MaxAge: 10 * time.Minute, + Enabled: false, + MaxAge: 10 * time.Minute, + XFrameOptions: "SAMEORIGIN", } ) diff --git a/routers/install/routes.go b/routers/install/routes.go index 36130d4b3f..e9aca85d8e 100644 --- a/routers/install/routes.go +++ b/routers/install/routes.go @@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler { "SignedUserName": "", } - w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) if !setting.IsProd() { store["ErrorMsg"] = combinedErr diff --git a/routers/web/base.go b/routers/web/base.go index f079be51f0..9238ea2173 100644 --- a/routers/web/base.go +++ b/routers/web/base.go @@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler { store["SignedUserName"] = "" } - w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) if !setting.IsProd() { store["ErrorMsg"] = combinedErr