kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-15 16:57:09 +00:00
Code Issues Projects Releases Wiki Activity

Add option to disable the X-Frame header

Browse Source
This commit is contained in:
James Cole
2018-11-24 07:24:32 +01:00
parent cb68505204
commit 1b3b39d2ea
6 changed files with 24 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.env.docker
View File

@@ -146,6 +146,10 @@ WINDOWS_SSO_KEY=${WINDOWS_SSO_KEY}
# field to sync as local username. # field to sync as local username.
ADLDAP_SYNC_FIELD=${ADLDAP_SYNC_FIELD} ADLDAP_SYNC_FIELD=${ADLDAP_SYNC_FIELD}
# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=${DISABLE_FRAME_HEADER}
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII APP_NAME=FireflyIII

4
.env.example
View File

@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
# field to sync as local username. # field to sync as local username.
ADLDAP_SYNC_FIELD=userprincipalname ADLDAP_SYNC_FIELD=userprincipalname
# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=false
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII APP_NAME=FireflyIII

4
.env.heroku
View File

@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
# field to sync as local username. # field to sync as local username.
ADLDAP_SYNC_FIELD=userprincipalname ADLDAP_SYNC_FIELD=userprincipalname
# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=false
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII APP_NAME=FireflyIII

4
.env.sandstorm
View File

@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
# field to sync as local username. # field to sync as local username.
ADLDAP_SYNC_FIELD=userprincipalname ADLDAP_SYNC_FIELD=userprincipalname
# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=true
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII APP_NAME=FireflyIII

4
.env.testing
View File

@@ -147,6 +147,10 @@ WINDOWS_SSO_KEY=AUTH_USER
# field to sync as local username. # field to sync as local username.
ADLDAP_SYNC_FIELD=userprincipalname ADLDAP_SYNC_FIELD=userprincipalname
# You can disable the X-Frame-Options header if it interfears with tools like
# Organizr. This is at your own risk.
DISABLE_FRAME_HEADER=false
# Leave the following configuration vars as is. # Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing. # Unless you like to tinker and know what you're doing.
APP_NAME=FireflyIII APP_NAME=FireflyIII

5
app/Http/Middleware/SecureHeaders.php
View File

@@ -76,7 +76,10 @@ class SecureHeaders
"payment 'none'", "payment 'none'",
]; ];
$response->header('X-Frame-Options', 'deny'); $disableFrameHeader = env('DISABLE_FRAME_HEADER');
if (false === $disableFrameHeader || null === $disableFrameHeader) {
$response->header('X-Frame-Options', 'deny');
}
$response->header('Content-Security-Policy', implode('; ', $csp)); $response->header('Content-Security-Policy', implode('; ', $csp));
$response->header('X-XSS-Protection', '1; mode=block'); $response->header('X-XSS-Protection', '1; mode=block');
$response->header('X-Content-Type-Options', 'nosniff'); $response->header('X-Content-Type-Options', 'nosniff');