13
3
Fork 0
Wiki Issues 89 resources competences Projects 8 Code Pull Requests Releases Activity
Browse Source

Allow setting X-FRAME-OPTIONS (#16643) 

* Allow setting X-FRAME-OPTIONS

This PR provides a mechanism to set the X-FRAME-OPTIONS header.

Fix #7951

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md

Co-authored-by: John Olheiser <john.olheiser@gmail.com>

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
tags/v1.16.0-rc1
zeripath 4 years ago committed by GitHub
parent
067d82b5a6
commit
afd88a2418
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 12 additions and 6 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 3
      custom/conf/app.example.ini
  2. 1
      docs/content/doc/advanced/config-cheat-sheet.en-us.md
  3. 2
      modules/context/api.go
  4. 2
      modules/context/context.go
  5. 6
      modules/setting/cors.go
  6. 2
      routers/install/routes.go
  7. 2
      routers/web/base.go

3
custom/conf/app.example.ini
Unescape View File

@ -993,6 +993,9 @@ PATH =
;;
;; allow request with credentials
;ALLOW_CREDENTIALS = false
;;
;; set X-FRAME-OPTIONS header
;X_FRAME_OPTIONS = SAMEORIGIN
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

1
docs/content/doc/advanced/config-cheat-sheet.en-us.md
Unescape View File

@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
- `MAX_AGE`: **10m**: max time to cache response
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
## UI (`ui`)

2
modules/context/api.go
Unescape View File

@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
}
}
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())

2
modules/context/context.go
Unescape View File

@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
}
}
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)

6
modules/setting/cors.go
Unescape View File

@ -20,9 +20,11 @@ var (
Methods []string
MaxAge time.Duration
AllowCredentials bool
XFrameOptions string
}{
Enabled: false,
MaxAge: 10 * time.Minute,
Enabled: false,
MaxAge: 10 * time.Minute,
XFrameOptions: "SAMEORIGIN",
}
)

2
routers/install/routes.go
Unescape View File

@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler {
"SignedUserName": "",
}
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
if !setting.IsProd() {
store["ErrorMsg"] = combinedErr

2
routers/web/base.go
Unescape View File

@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler {
store["SignedUserName"] = ""
}
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
if !setting.IsProd() {
store["ErrorMsg"] = combinedErr

Write Preview
Loading…
Cancel
Save