diff --git a/src/web/Configuration.C b/src/web/Configuration.C index c1a2e6591a..9b5491e24b 100644 --- a/src/web/Configuration.C +++ b/src/web/Configuration.C @@ -237,7 +237,8 @@ void Configuration::reset() bootstrapConfig_.clear(); numSessionThreads_ = -1; allowedOrigins_.clear(); - + xFrameSameOrigin_ = true; + if (!appRoot_.empty()) setAppRoot(appRoot_); } @@ -475,6 +476,13 @@ std::string Configuration::uaCompatible() const READ_LOCK; return uaCompatible_; } + +bool Configuration::xFrameSameOrigin() const +{ + READ_LOCK; + return xFrameSameOrigin_; +} + bool Configuration::sessionIdCookie() const { @@ -1021,6 +1029,8 @@ void Configuration::readApplicationSettings(xml_node<> *app) boost::split(allowedOrigins_, allowedOrigins, boost::is_any_of(",")); for (std::size_t i = 0; i < allowedOrigins_.size(); ++i) boost::trim(allowedOrigins_[i]); + + setBoolean(app, "x-frame-same-origin", xFrameSameOrigin_); } void Configuration::rereadConfiguration() diff --git a/src/web/Configuration.h b/src/web/Configuration.h index ed042718b5..16c2b0de7f 100644 --- a/src/web/Configuration.h +++ b/src/web/Configuration.h @@ -195,6 +195,8 @@ class WT_API Configuration bool agentIsBot(const std::string& agent) const; bool agentSupportsAjax(const std::string& agent) const; std::string uaCompatible() const; + + bool xFrameSameOrigin() const; // Things which are overridden by the connector void setSessionTimeout(int sessionTimeout); @@ -277,6 +279,8 @@ class WT_API Configuration bool connectorWebSockets_; std::string connectorSessionIdPrefix_; + bool xFrameSameOrigin_; + void reset(); void readApplicationSettings(Wt::rapidxml::xml_node *app); void readConfiguration(bool silent); diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C index fa5d7247a9..88683267fd 100644 --- a/src/web/WebRenderer.C +++ b/src/web/WebRenderer.C @@ -459,7 +459,8 @@ void WebRenderer::serveBootstrap(WebResponse& response) boot.setVar("BOOT_STYLE_URL", bootStyleUrl.str()); setCaching(response, false); - response.addHeader("X-Frame-Options", "SAMEORIGIN"); + if (conf.xFrameSameOrigin()) + response.addHeader("X-Frame-Options", "SAMEORIGIN"); std::string contentType = "text/html; charset=UTF-8"; @@ -1484,7 +1485,8 @@ void WebRenderer::serveMainpage(WebResponse& response) std::string contentType = "text/html; charset=UTF-8"; setCaching(response, false); - response.addHeader("X-Frame-Options", "SAMEORIGIN"); + if (conf.xFrameSameOrigin()) + response.addHeader("X-Frame-Options", "SAMEORIGIN"); setHeaders(response, contentType); currentFormObjectsList_ = createFormObjectsList(app); diff --git a/wt_config.xml.in b/wt_config.xml.in index 9404e05788..e701b7b891 100644 --- a/wt_config.xml.in +++ b/wt_config.xml.in @@ -659,6 +659,8 @@ + true +