Add config parameter to enable/disable X-Frame header

2016-12-26 18:07:00 -05:00 · 2016-12-26 18:07:00 -05:00 · 09dd04f698
commit 09dd04f698
parent 59a721ce18
4 changed files with 17 additions and 1 deletions
--- a/app/constants.php
+++ b/app/constants.php
@ -36,6 +36,7 @@ defined('SUBSCRIPTION_CONCURRENT_REQUESTS') or define('SUBSCRIPTION_CONCURRENT_R

 defined('RULES_DIRECTORY') or define('RULES_DIRECTORY', ROOT_DIRECTORY.DIRECTORY_SEPARATOR.'rules');

+defined('ENABLE_XFRAME') or define('ENABLE_XFRAME', true);
 defined('ENABLE_HSTS') or define('ENABLE_HSTS', true);
 defined('ENABLE_CRONJOB_HTTP_ACCESS') or define('ENABLE_CRONJOB_HTTP_ACCESS', true);

--- a/app/controllers/common.php
+++ b/app/controllers/common.php
@ -40,10 +40,13 @@ Router\before(function ($action) {
        'referrer' => 'no-referrer',
    ));

-    Response\xframe();
    Response\xss();
    Response\nosniff();

+    if (ENABLE_XFRAME) {
+        Response\xframe();
+    }
+
    if (ENABLE_HSTS && Helper\is_secure_connection()) {
        Response\hsts();
    }
--- a/config.default.php
+++ b/config.default.php
@ -57,3 +57,9 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);

 // Allow the cronjob to be accessible from the browser
 define('ENABLE_CRONJOB_HTTP_ACCESS', true);
+
+// Enable/disable HTTP header X-Frame-Options
+define('ENABLE_XFRAME', true);
+
+// Enable/disable HSTS HTTP header
+define('ENABLE_HSTS', true);
--- a/docs/config.markdown
+++ b/docs/config.markdown
@ -106,4 +106,10 @@ define('SUBSCRIPTION_CONCURRENT_REQUESTS', 5);

 // Allow the cronjob to be accessible from the browser
 define('ENABLE_CRONJOB_HTTP_ACCESS', true);
+
+// Enable/disable HTTP header X-Frame-Options
+define('ENABLE_XFRAME', true);
+
+// Enable/disable HSTS HTTP header
+define('ENABLE_HSTS', true);
 ```