diff --git a/config/config.sample.php b/config/config.sample.php index b70b3cf533..a3b7cbaca4 100644 --- a/config/config.sample.php +++ b/config/config.sample.php @@ -148,6 +148,10 @@ $CONFIG = array( /* Custom CSP policy, changing this will overwrite the standard policy */ "custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:", +/* Enable/disable X-Frame-Restriction */ +/* HIGH SECURITY RISK IF DISABLED*/ +"xframe_restriction" => true, + /* The directory where the user data is stored, default to data in the owncloud * directory. The sqlite database is also stored here, when sqlite is used. */ diff --git a/lib/template.php b/lib/template.php index f007618ff1..ad875359d7 100644 --- a/lib/template.php +++ b/lib/template.php @@ -186,10 +186,15 @@ class OC_Template{ $this->l10n = OC_L10N::get($parts[0]); // Some headers to enhance security - header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE + // iFrame Restriction Policy + $xFramePolicy = OC_Config::getValue('xframe_restriction', true); + if($xFramePolicy) { + header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains + } + // Content Security Policy // If you change the standard policy, please also change it in config.sample.php $policy = OC_Config::getValue('custom_csp_policy',