core
/
gitea
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow setting X-FRAME-OPTIONS (#16643) 

* Allow setting X-FRAME-OPTIONS

This PR provides a mechanism to set the X-FRAME-OPTIONS header.

Fix #7951

Signed-off-by: Andrew Thornton <art27@cantab.net>

* Update docs/content/doc/advanced/config-cheat-sheet.en-us.md

Co-authored-by: John Olheiser <john.olheiser@gmail.com>

Co-authored-by: John Olheiser <john.olheiser@gmail.com>
This commit is contained in:
zeripath 2021-08-06 21:47:10 +01:00 committed by GitHub
parent 067d82b5a6
commit afd88a2418
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 12 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
custom/conf/app.example.ini
View File

@ -993,6 +993,9 @@ PATH =
;; ;;
;; allow request with credentials ;; allow request with credentials
;ALLOW_CREDENTIALS = false ;ALLOW_CREDENTIALS = false
;;
;; set X-FRAME-OPTIONS header
;X_FRAME_OPTIONS = SAMEORIGIN
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

1
docs/content/doc/advanced/config-cheat-sheet.en-us.md
View File

@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request - `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
- `MAX_AGE`: **10m**: max time to cache response - `MAX_AGE`: **10m**: max time to cache response
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials - `ALLOW_CREDENTIALS`: **false**: allow request with credentials
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
## UI (`ui`) ## UI (`ui`)

2
modules/context/api.go
View File

@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
} }
} }
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())

2
modules/context/context.go
View File

@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
} }
} }
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken()) ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`) ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)

6
modules/setting/cors.go
View File

@ -20,9 +20,11 @@ var (
Methods []string Methods []string
MaxAge time.Duration MaxAge time.Duration
AllowCredentials bool AllowCredentials bool
XFrameOptions string
}{ }{
Enabled: false, Enabled: false,
MaxAge: 10 * time.Minute, MaxAge: 10 * time.Minute,
XFrameOptions: "SAMEORIGIN",
} }
) )

2
routers/install/routes.go
View File

@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler {
"SignedUserName": "", "SignedUserName": "",
} }
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
if !setting.IsProd() { if !setting.IsProd() {
store["ErrorMsg"] = combinedErr store["ErrorMsg"] = combinedErr

2
routers/web/base.go
View File

@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler {
store["SignedUserName"] = "" store["SignedUserName"] = ""
} }
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`) w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
if !setting.IsProd() { if !setting.IsProd() {
store["ErrorMsg"] = combinedErr store["ErrorMsg"] = combinedErr