Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[NEW] Add option to enable X-Frame-options header to avoid loading inside any Iframe #14698

Merged
merged 8 commits into from
Oct 18, 2019
4 changes: 4 additions & 0 deletions app/cors/server/cors.js
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,9 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
if (/^\/(api|_timesync|sockjs|tap-i18n)(\/|$)/.test(req.url)) {
res.setHeader('Access-Control-Allow-Origin', '*');
}
if (!settings.get('Allow_Loading_In_Iframe')) {
rodrigok marked this conversation as resolved.
Show resolved Hide resolved
res.setHeader('X-Frame-Options', settings.get('X_Frame_Options'));
}

const { setHeader } = res;
res.setHeader = function(key, val, ...args) {
Expand All @@ -56,6 +59,7 @@ WebApp.rawConnectHandlers.use(function(req, res, next) {
}
return setHeader.apply(this, [key, val, ...args]);
};

return next();
});

Expand Down
12 changes: 12 additions & 0 deletions app/lib/server/startup/settings.js
Original file line number Diff line number Diff line change
Expand Up @@ -752,6 +752,18 @@ settings.addGroup('General', function() {
type: 'boolean',
secret: true,
});
this.add('Allow_Loading_In_Iframe', false, {
type: 'boolean',
secret: true,
});
this.add('X_Frame_Options', 'sameorigin', {
type: 'string',
secret: true,
enableQuery: {
_id: 'Allow_Loading_In_Iframe',
value: false,
},
});
this.add('Favorite_Rooms', true, {
type: 'boolean',
public: true,
Expand Down
4 changes: 4 additions & 0 deletions packages/rocketchat-i18n/i18n/en.i18n.json
Original file line number Diff line number Diff line change
Expand Up @@ -253,6 +253,8 @@
"Allow_Invalid_SelfSigned_Certs": "Allow Invalid Self-Signed Certs",
"Allow_Invalid_SelfSigned_Certs_Description": "Allow invalid and self-signed SSL certificate's for link validation and previews.",
"Allow_switching_departments": "Allow Visitor to Switch Departments",
"Allow_Loading_In_Iframe": "Allow loading inside any Iframe",
"Allow_Loading_In_Iframe_Description": "Allows loading inside any Iframe without restrictions",
"Allow_Marketing_Emails": "Allow Marketing Emails",
"Almost_done": "Almost done",
"Alphabetical": "Alphabetical",
Expand Down Expand Up @@ -3208,6 +3210,8 @@
"will_be_able_to": "will be able to",
"Worldwide": "Worldwide",
"Would_you_like_to_return_the_inquiry": "Would you like to return the inquiry?",
"X_Frame_Options": "Options to X-Frame-Options",
"X_Frame_Options_Description": "Options to X-Frame-Options. [You can see all the options here.](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options#Syntax)",
"Yes": "Yes",
"Yesterday": "Yesterday",
"Yes_archive_it": "Yes, archive it!",
Expand Down
13 changes: 13 additions & 0 deletions server/startup/migrations/v148.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
import { Migrations } from '../../../app/migrations';
import { Settings } from '../../../app/models';

Migrations.add({
version: 148,
rodrigok marked this conversation as resolved.
Show resolved Hide resolved
up() {
Settings.upsert({ _id: 'Allow_Loading_In_Iframe' }, {
rodrigok marked this conversation as resolved.
Show resolved Hide resolved
$set: {
value: true,
},
});
},
});