From 1b3b39d2ea3d033aeea9279717a96f0a82dad182 Mon Sep 17 00:00:00 2001
From: James Cole <thegrumpydictator@gmail.com>
Date: Sat, 24 Nov 2018 07:24:32 +0100
Subject: [PATCH] Add option to disable the X-Frame header

---
 .env.docker                           | 4 ++++
 .env.example                          | 4 ++++
 .env.heroku                           | 4 ++++
 .env.sandstorm                        | 4 ++++
 .env.testing                          | 4 ++++
 app/Http/Middleware/SecureHeaders.php | 5 ++++-
 6 files changed, 24 insertions(+), 1 deletion(-)

diff --git a/.env.docker b/.env.docker
index 8836909ef3..7267344004 100644
--- a/.env.docker
+++ b/.env.docker
@@ -146,6 +146,10 @@ WINDOWS_SSO_KEY=${WINDOWS_SSO_KEY}
 # field to sync as local username.
 ADLDAP_SYNC_FIELD=${ADLDAP_SYNC_FIELD}
 
+# You can disable the X-Frame-Options header if it interfears with tools like
+# Organizr. This is at your own risk.
+DISABLE_FRAME_HEADER=${DISABLE_FRAME_HEADER}
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
diff --git a/.env.example b/.env.example
index 450df3f03e..a626fb6648 100644
--- a/.env.example
+++ b/.env.example
@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
 # field to sync as local username.
 ADLDAP_SYNC_FIELD=userprincipalname
 
+# You can disable the X-Frame-Options header if it interfears with tools like
+# Organizr. This is at your own risk.
+DISABLE_FRAME_HEADER=false
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
diff --git a/.env.heroku b/.env.heroku
index 72237088cd..91265ca0b9 100644
--- a/.env.heroku
+++ b/.env.heroku
@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
 # field to sync as local username.
 ADLDAP_SYNC_FIELD=userprincipalname
 
+# You can disable the X-Frame-Options header if it interfears with tools like
+# Organizr. This is at your own risk.
+DISABLE_FRAME_HEADER=false
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
diff --git a/.env.sandstorm b/.env.sandstorm
index d858fd02f9..45842c2845 100755
--- a/.env.sandstorm
+++ b/.env.sandstorm
@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
 # field to sync as local username.
 ADLDAP_SYNC_FIELD=userprincipalname
 
+# You can disable the X-Frame-Options header if it interfears with tools like
+# Organizr. This is at your own risk.
+DISABLE_FRAME_HEADER=true
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
diff --git a/.env.testing b/.env.testing
index a62f25abcf..0ac26d6891 100644
--- a/.env.testing
+++ b/.env.testing
@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
 # field to sync as local username.
 ADLDAP_SYNC_FIELD=userprincipalname
 
+# You can disable the X-Frame-Options header if it interfears with tools like
+# Organizr. This is at your own risk.
+DISABLE_FRAME_HEADER=false
+
 # Leave the following configuration vars as is.
 # Unless you like to tinker and know what you're doing.
 APP_NAME=FireflyIII
diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 39168deabe..f25d417b12 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -76,7 +76,10 @@ class SecureHeaders
             "payment 'none'",
         ];
 
-        $response->header('X-Frame-Options', 'deny');
+        $disableFrameHeader = env('DISABLE_FRAME_HEADER');
+        if (false === $disableFrameHeader || null === $disableFrameHeader) {
+            $response->header('X-Frame-Options', 'deny');
+        }
         $response->header('Content-Security-Policy', implode('; ', $csp));
         $response->header('X-XSS-Protection', '1; mode=block');
         $response->header('X-Content-Type-Options', 'nosniff');