From 03aa86d8a6e6631547b72f0f01a2394784900db2 Mon Sep 17 00:00:00 2001
From: Florian Scholz <FlorianScholz@bgstyle.de>
Date: Wed, 24 Apr 2013 14:45:40 +0200
Subject: [PATCH] - xframe restriction configurable now

---
 config/config.sample.php | 4 ++++
 lib/template.php         | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/config/config.sample.php b/config/config.sample.php
index b70b3cf533d..a3b7cbaca46 100644
--- a/config/config.sample.php
+++ b/config/config.sample.php
@@ -148,6 +148,10 @@ $CONFIG = array(
 /* Custom CSP policy, changing this will overwrite the standard policy */
 "custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
 
+/* Enable/disable X-Frame-Restriction */
+/* HIGH SECURITY RISK IF DISABLED*/
+"xframe_restriction" => true,
+	
 /* The directory where the user data is stored, default to data in the owncloud
  * directory. The sqlite database is also stored here, when sqlite is used.
  */
diff --git a/lib/template.php b/lib/template.php
index 434c1e9e990..dd5542e099a 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -186,10 +186,15 @@ class OC_Template{
 		$this->l10n = OC_L10N::get($parts[0]);
 
 		// Some headers to enhance security
-		header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
 		header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
 		header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
 
+		// iFrame Restriction Policy
+		$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
+		if($xFramePolicy) {
+			header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
+		}
+		
 		// Content Security Policy
 		// If you change the standard policy, please also change it in config.sample.php
 		$policy = OC_Config::getValue('custom_csp_policy',
-- 
GitLab