Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option

2025-07-14 22:47:21 +00:00 · 2024-04-03 01:17:38 +02:00
parent e006451ab1
commit aace6002ee
8 changed files with 19 additions and 10 deletions
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@ -37,6 +37,7 @@ var (
 	DisableQueryAuthToken              bool
 	CSRFCookieName                     = "_csrf"
 	CSRFCookieHTTPOnly                 = true
+	XFrameOptions                      string
 )

 // loadSecret load the secret from ini by uriKey or verbatimKey, only one of them could be set
@ -139,6 +140,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
 	CSRFCookieHTTPOnly = sec.Key("CSRF_COOKIE_HTTP_ONLY").MustBool(true)
 	PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
 	SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
+	XFrameOptions = sec.Key("X_FRAME_OPTIONS").MustString("SAMEORIGIN")

 	InternalToken = loadSecret(sec, "INTERNAL_TOKEN_URI", "INTERNAL_TOKEN")
 	if InstallLock && InternalToken == "" {