diff --git a/custom/conf/app.example.ini b/custom/conf/app.example.ini index 6ea31586a74d5..44516b5e64d5c 100644 --- a/custom/conf/app.example.ini +++ b/custom/conf/app.example.ini @@ -993,6 +993,9 @@ PATH = ;; ;; allow request with credentials ;ALLOW_CREDENTIALS = false +;; +;; set X-FRAME-OPTIONS header +;X_FRAME_OPTIONS = SAMEORIGIN ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; diff --git a/docs/content/doc/advanced/config-cheat-sheet.en-us.md b/docs/content/doc/advanced/config-cheat-sheet.en-us.md index 9c7bddc8eb7eb..e94c3ece2a470 100644 --- a/docs/content/doc/advanced/config-cheat-sheet.en-us.md +++ b/docs/content/doc/advanced/config-cheat-sheet.en-us.md @@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials +- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) diff --git a/modules/context/api.go b/modules/context/api.go index 8f1ed3f2ce2dc..b543c8bac826d 100644 --- a/modules/context/api.go +++ b/modules/context/api.go @@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) diff --git a/modules/context/context.go b/modules/context/context.go index 9d04fe3858886..041b81c66851d 100644 --- a/modules/context/context.go +++ b/modules/context/context.go @@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler { } } - ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfTokenHtml"] = template.HTML(``) diff --git a/modules/setting/cors.go b/modules/setting/cors.go index d7856e8b23f80..4c7997d584e40 100644 --- a/modules/setting/cors.go +++ b/modules/setting/cors.go @@ -20,9 +20,11 @@ var ( Methods []string MaxAge time.Duration AllowCredentials bool + XFrameOptions string }{ - Enabled: false, - MaxAge: 10 * time.Minute, + Enabled: false, + MaxAge: 10 * time.Minute, + XFrameOptions: "SAMEORIGIN", } ) diff --git a/routers/install/routes.go b/routers/install/routes.go index 36130d4b3f398..e9aca85d8edd6 100644 --- a/routers/install/routes.go +++ b/routers/install/routes.go @@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler { "SignedUserName": "", } - w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) if !setting.IsProd() { store["ErrorMsg"] = combinedErr diff --git a/routers/web/base.go b/routers/web/base.go index f079be51f046a..9238ea217317a 100644 --- a/routers/web/base.go +++ b/routers/web/base.go @@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler { store["SignedUserName"] = "" } - w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) + w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions) if !setting.IsProd() { store["ErrorMsg"] = combinedErr