Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NEW] Add option to enable X-Frame-options header to avoid loading inside any Iframe #14698

Merged
merged 8 commits into from
Oct 18, 2019
4 changes: 4 additions & 0 deletions app/cors/server/cors.js
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,9 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
if (/^\/(api|_timesync|sockjs|tap-i18n)(\/|$)/.test(req.url)) {
res.setHeader('Access-Control-Allow-Origin', '*');
}
if (settings.get('Iframe_Restrict_Access')) {
res.setHeader('X-Frame-Options', settings.get('Iframe_X_Frame_Options'));
}

const { setHeader } = res;
res.setHeader = function(key, val, ...args) {
Expand All @@ -68,6 +71,7 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
}
return setHeader.apply(this, [key, val, ...args]);
};

return next();
});

Expand Down
12 changes: 12 additions & 0 deletions app/lib/server/startup/settings.js
Original file line number Diff line number Diff line change
Expand Up @@ -760,6 +760,18 @@ settings.addGroup('General', function() {
type: 'boolean',
secret: true,
});
this.add('Iframe_Restrict_Access', true, {
type: 'boolean',
secret: true,
});
this.add('Iframe_X_Frame_Options', 'sameorigin', {
type: 'string',
secret: true,
enableQuery: {
_id: 'Iframe_Restrict_Access',
value: true,
},
});
this.add('Favorite_Rooms', true, {
type: 'boolean',
public: true,
Expand Down
4 changes: 4 additions & 0 deletions packages/rocketchat-i18n/i18n/en.i18n.json
Original file line number Diff line number Diff line change
Expand Up @@ -1591,6 +1591,10 @@
"Iframe_Integration_send_enable_Description": "Send events to parent window",
"Iframe_Integration_send_target_origin": "Send Target Origin",
"Iframe_Integration_send_target_origin_Description": "Origin with protocol prefix, which commands are sent to e.g. 'https://localhost', or * to allow sending to anywhere.",
"Iframe_Restrict_Access": "Restrict access inside any Iframe",
"Iframe_Restrict_Access_Description": "This setting enable/disable restrictions to load the RC inside any iframe",
"Iframe_X_Frame_Options": "Options to X-Frame-Options",
"Iframe_X_Frame_Options_Description": "Options to X-Frame-Options. [You can see all the options here.](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Syntax)",
"Ignore": "Ignore",
"Ignored": "Ignored",
"Images": "Images",
Expand Down
1 change: 1 addition & 0 deletions server/startup/migrations/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -161,4 +161,5 @@ import './v160';
import './v161';
import './v162';
import './v163';
import './v164';
import './xrun';
14 changes: 14 additions & 0 deletions server/startup/migrations/v164.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
import { Migrations } from '../../../app/migrations';
import { Settings } from '../../../app/models';

// Enable iframe usage for existant RC installations.
Migrations.add({
version: 162,
up() {
Settings.upsert({ _id: 'Iframe_Restrict_Access' }, {
$set: {
value: false,
},
});
},
});