Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option

2025-11-02 12:28:25 +00:00 · 2024-04-03 01:17:38 +02:00
parent e006451ab1
commit aace6002ee
8 changed files with 19 additions and 10 deletions
--- a/modules/setting/cors.go
+++ b/modules/setting/cors.go
@@ -17,13 +17,11 @@ var CORSConfig = struct {
 	MaxAge           time.Duration
 	AllowCredentials bool
 	Headers          []string
-	XFrameOptions    string
 }{
 	AllowDomain:   []string{"*"},
 	Methods:       []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
 	Headers:       []string{"Content-Type", "User-Agent"},
 	MaxAge:        10 * time.Minute,
-	XFrameOptions: "SAMEORIGIN",
 }

 func loadCorsFrom(rootCfg ConfigProvider) {
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@@ -37,6 +37,7 @@ var (
 	DisableQueryAuthToken              bool
 	CSRFCookieName                     = "_csrf"
 	CSRFCookieHTTPOnly                 = true
+	XFrameOptions                      string
 )

 // loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
@@ -139,6 +140,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
+	XFrameOptions = sec.Key("X_FRAME_OPTIONS").MustString("SAMEORIGIN")

 	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
 	if InstallLock && InternalToken == "" {