mirror of
https://codeberg.org/forgejo/forgejo.git
synced 2024-12-22 16:47:30 +00:00
Allow setting X-FRAME-OPTIONS (#16643)
* Allow setting X-FRAME-OPTIONS This PR provides a mechanism to set the X-FRAME-OPTIONS header. Fix #7951 Signed-off-by: Andrew Thornton <art27@cantab.net> * Update docs/content/doc/advanced/config-cheat-sheet.en-us.md Co-authored-by: John Olheiser <john.olheiser@gmail.com> Co-authored-by: John Olheiser <john.olheiser@gmail.com>
This commit is contained in:
parent
067d82b5a6
commit
afd88a2418
|
@ -993,6 +993,9 @@ PATH =
|
||||||
;;
|
;;
|
||||||
;; allow request with credentials
|
;; allow request with credentials
|
||||||
;ALLOW_CREDENTIALS = false
|
;ALLOW_CREDENTIALS = false
|
||||||
|
;;
|
||||||
|
;; set X-FRAME-OPTIONS header
|
||||||
|
;X_FRAME_OPTIONS = SAMEORIGIN
|
||||||
|
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
||||||
|
|
|
@ -162,6 +162,7 @@ The following configuration set `Content-Type: application/vnd.android.package-a
|
||||||
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
|
- `METHODS`: **GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS**: list of methods allowed to request
|
||||||
- `MAX_AGE`: **10m**: max time to cache response
|
- `MAX_AGE`: **10m**: max time to cache response
|
||||||
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
|
- `ALLOW_CREDENTIALS`: **false**: allow request with credentials
|
||||||
|
- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value.
|
||||||
|
|
||||||
## UI (`ui`)
|
## UI (`ui`)
|
||||||
|
|
||||||
|
|
|
@ -270,7 +270,7 @@ func APIContexter() func(http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||||
|
|
||||||
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
|
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
|
||||||
|
|
||||||
|
|
|
@ -729,7 +729,7 @@ func Contexter() func(next http.Handler) http.Handler {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
ctx.Resp.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||||
|
|
||||||
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
|
ctx.Data["CsrfToken"] = html.EscapeString(ctx.csrf.GetToken())
|
||||||
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
|
ctx.Data["CsrfTokenHtml"] = template.HTML(`<input type="hidden" name="_csrf" value="` + ctx.Data["CsrfToken"].(string) + `">`)
|
||||||
|
|
|
@ -20,9 +20,11 @@ var (
|
||||||
Methods []string
|
Methods []string
|
||||||
MaxAge time.Duration
|
MaxAge time.Duration
|
||||||
AllowCredentials bool
|
AllowCredentials bool
|
||||||
|
XFrameOptions string
|
||||||
}{
|
}{
|
||||||
Enabled: false,
|
Enabled: false,
|
||||||
MaxAge: 10 * time.Minute,
|
MaxAge: 10 * time.Minute,
|
||||||
|
XFrameOptions: "SAMEORIGIN",
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
|
@ -61,7 +61,7 @@ func installRecovery() func(next http.Handler) http.Handler {
|
||||||
"SignedUserName": "",
|
"SignedUserName": "",
|
||||||
}
|
}
|
||||||
|
|
||||||
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||||
|
|
||||||
if !setting.IsProd() {
|
if !setting.IsProd() {
|
||||||
store["ErrorMsg"] = combinedErr
|
store["ErrorMsg"] = combinedErr
|
||||||
|
|
|
@ -171,7 +171,7 @@ func Recovery() func(next http.Handler) http.Handler {
|
||||||
store["SignedUserName"] = ""
|
store["SignedUserName"] = ""
|
||||||
}
|
}
|
||||||
|
|
||||||
w.Header().Set(`X-Frame-Options`, `SAMEORIGIN`)
|
w.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||||
|
|
||||||
if !setting.IsProd() {
|
if !setting.IsProd() {
|
||||||
store["ErrorMsg"] = combinedErr
|
store["ErrorMsg"] = combinedErr
|
||||||
|
|
Loading…
Reference in a new issue