From 259f7149f54111b5c4e544b09baa361104471f94 Mon Sep 17 00:00:00 2001
From: jeroen-zpam <75545004+jeroen-zpam@users.noreply.github.com>
Date: Tue, 15 Dec 2020 14:51:45 +0100
Subject: [PATCH 1/4] Update wt_config.xml.in

added setting whether to response.addHeader("X-Frame-Options", "SAMEORIGIN");
---
 wt_config.xml.in | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/wt_config.xml.in b/wt_config.xml.in
index 9404e05788..e701b7b891 100644
--- a/wt_config.xml.in
+++ b/wt_config.xml.in
@@ -659,6 +659,8 @@
             <!-- <property name="leafletCSSURL">https://unpkg.com/leaflet@1.5.1/dist/leaflet.css</property> -->
 	</properties>
 
+  <x-frame-same-origin>true</x-frame-same-origin>
+
     </application-settings>
 
 

From d741588bff127f5c53feb750fedadbd6dc09a2cc Mon Sep 17 00:00:00 2001
From: jeroen-zpam <75545004+jeroen-zpam@users.noreply.github.com>
Date: Tue, 15 Dec 2020 14:56:17 +0100
Subject: [PATCH 2/4] Update Configuration.h

added option whether to response.addHeader("X-Frame-Options", "SAMEORIGIN");
---
 src/web/Configuration.h | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/web/Configuration.h b/src/web/Configuration.h
index ed042718b5..16c2b0de7f 100644
--- a/src/web/Configuration.h
+++ b/src/web/Configuration.h
@@ -195,6 +195,8 @@ class WT_API Configuration
   bool agentIsBot(const std::string& agent) const;
   bool agentSupportsAjax(const std::string& agent) const;
   std::string uaCompatible() const;
+  
+  bool xFrameSameOrigin() const;
 
   // Things which are overridden by the connector
   void setSessionTimeout(int sessionTimeout);
@@ -277,6 +279,8 @@ class WT_API Configuration
   bool connectorWebSockets_;
   std::string connectorSessionIdPrefix_;
 
+  bool xFrameSameOrigin_;
+  
   void reset();
   void readApplicationSettings(Wt::rapidxml::xml_node<char> *app);
   void readConfiguration(bool silent);

From 13498be37a55df22430c65f2495a842df96a4371 Mon Sep 17 00:00:00 2001
From: jeroen-zpam <75545004+jeroen-zpam@users.noreply.github.com>
Date: Tue, 15 Dec 2020 15:00:57 +0100
Subject: [PATCH 3/4] Update Configuration.C

add option whether to response.addHeader("X-Frame-Options", "SAMEORIGIN");
---
 src/web/Configuration.C | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/web/Configuration.C b/src/web/Configuration.C
index c1a2e6591a..9b5491e24b 100644
--- a/src/web/Configuration.C
+++ b/src/web/Configuration.C
@@ -237,7 +237,8 @@ void Configuration::reset()
   bootstrapConfig_.clear();
   numSessionThreads_ = -1;
   allowedOrigins_.clear();
-
+  xFrameSameOrigin_ = true;
+  
   if (!appRoot_.empty())
     setAppRoot(appRoot_);
 }
@@ -475,6 +476,13 @@ std::string Configuration::uaCompatible() const
   READ_LOCK;
   return uaCompatible_;
 }
+  
+bool Configuration::xFrameSameOrigin() const
+{
+  READ_LOCK;
+  return xFrameSameOrigin_;
+}
+
 
 bool Configuration::sessionIdCookie() const
 {
@@ -1021,6 +1029,8 @@ void Configuration::readApplicationSettings(xml_node<> *app)
   boost::split(allowedOrigins_, allowedOrigins, boost::is_any_of(","));
   for (std::size_t i = 0; i < allowedOrigins_.size(); ++i)
     boost::trim(allowedOrigins_[i]);
+  
+  setBoolean(app, "x-frame-same-origin", xFrameSameOrigin_);
 }
 
 void Configuration::rereadConfiguration()

From 3a27475c01dd25f32599de2feac243a982f5143f Mon Sep 17 00:00:00 2001
From: jeroen-zpam <75545004+jeroen-zpam@users.noreply.github.com>
Date: Tue, 15 Dec 2020 15:02:57 +0100
Subject: [PATCH 4/4] Update WebRenderer.C

add option whether to response.addHeader("X-Frame-Options", "SAMEORIGIN");
---
 src/web/WebRenderer.C | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/web/WebRenderer.C b/src/web/WebRenderer.C
index fa5d7247a9..88683267fd 100644
--- a/src/web/WebRenderer.C
+++ b/src/web/WebRenderer.C
@@ -459,7 +459,8 @@ void WebRenderer::serveBootstrap(WebResponse& response)
   boot.setVar("BOOT_STYLE_URL", bootStyleUrl.str());
 
   setCaching(response, false);
-  response.addHeader("X-Frame-Options", "SAMEORIGIN");
+  if (conf.xFrameSameOrigin())
+    response.addHeader("X-Frame-Options", "SAMEORIGIN");
 
   std::string contentType = "text/html; charset=UTF-8";
 
@@ -1484,7 +1485,8 @@ void WebRenderer::serveMainpage(WebResponse& response)
   std::string contentType = "text/html; charset=UTF-8";
 
   setCaching(response, false);
-  response.addHeader("X-Frame-Options", "SAMEORIGIN");
+  if (conf.xFrameSameOrigin())
+    response.addHeader("X-Frame-Options", "SAMEORIGIN");
   setHeaders(response, contentType);
 
   currentFormObjectsList_ = createFormObjectsList(app);