Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option

2025-12-07 13:28:25 +00:00 · 2024-04-03 01:17:38 +02:00
parent e006451ab1
commit aace6002ee
8 changed files with 19 additions and 10 deletions
@@ -235,7 +235,10 @@ func APIContexter() func(http.Handler) http.Handler {
 			}

 			httpcache.SetCacheControlInHeader(ctx.Resp.Header(), 0, "no-transform")
-			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
+
+			if setting.XFrameOptions != "false" {
+				ctx.Resp.Header().Set(`X-Frame-Options`, setting.XFrameOptions)
+			}

 			next.ServeHTTP(ctx.Resp, ctx.Req)
 		})
@@ -190,7 +190,10 @@ func Contexter() func(next http.Handler) http.Handler {
 			}

 			httpcache.SetCacheControlInHeader(ctx.Resp.Header(), 0, "no-transform")
-			ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
+
+			if setting.XFrameOptions != "false" {
+				ctx.Resp.Header().Set(`X-Frame-Options`, setting.XFrameOptions)
+			}

 			ctx.Data["SystemConfig"] = setting.Config()
 			ctx.Data["CsrfToken"] = ctx.Csrf.GetToken()