[pocketbase#677] unset the X-Frame-Options when serving static files …

…to allow files embedding

tools/filesystem/filesystem.go

@@ -223,6 +223,11 @@ func (s *System) Serve(response http.ResponseWriter, fileKey string, name string
 		extContentType = ct
 	}
 
+	// clickjacking shouldn't be a concern when serving static files,
+	// so it safe to unset the global X-Frame-Options to allow files embedding
+	// (https://github.com/pocketbase/pocketbase/issues/677)
+	response.Header().Del("X-Frame-Options")
+
 	response.Header().Set("Content-Disposition", disposition+"; filename="+name)
 	response.Header().Set("Content-Type", extContentType)
 	response.Header().Set("Content-Length", strconv.FormatInt(r.Size(), 10))

tools/filesystem/filesystem_test.go

@@ -240,6 +240,10 @@ func TestFileSystemServe(t *testing.T) {
 				t.Errorf("(%s) Expected value %q for header %q, got %q", scenario.path, hValue, hName, v)
 			}
 		}
+
+		if v := result.Header.Get("X-Frame-Options"); v != "" {
+			t.Errorf("(%s) Expected the X-Frame-Options header to be unset, got %v", scenario.path, v)
+		}
 	}
 }
 

ui/.env

@@ -4,4 +4,4 @@ PB_PROFILE_COLLECTION = "profiles"
 PB_INSTALLER_PARAM    = "installer"
 PB_RULES_SYNTAX_DOCS  = "https://pocketbase.io/docs/manage-collections#rules-filters-syntax"
 PB_RELEASES           = "https://github.com/pocketbase/pocketbase/releases"
-PB_VERSION            = "v0.7.7"
+PB_VERSION            = "v0.7.8"