Merge pull request #3106 from IMM0rtalis/xframe_restriction_config
- xframe restriction configurable now
This commit is contained in:
commit
a34350c803
|
@ -148,6 +148,10 @@ $CONFIG = array(
|
||||||
/* Custom CSP policy, changing this will overwrite the standard policy */
|
/* Custom CSP policy, changing this will overwrite the standard policy */
|
||||||
"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
|
"custom_csp_policy" => "default-src 'self'; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src *; img-src *; font-src 'self' data:",
|
||||||
|
|
||||||
|
/* Enable/disable X-Frame-Restriction */
|
||||||
|
/* HIGH SECURITY RISK IF DISABLED*/
|
||||||
|
"xframe_restriction" => true,
|
||||||
|
|
||||||
/* The directory where the user data is stored, default to data in the owncloud
|
/* The directory where the user data is stored, default to data in the owncloud
|
||||||
* directory. The sqlite database is also stored here, when sqlite is used.
|
* directory. The sqlite database is also stored here, when sqlite is used.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -186,10 +186,15 @@ class OC_Template{
|
||||||
$this->l10n = OC_L10N::get($parts[0]);
|
$this->l10n = OC_L10N::get($parts[0]);
|
||||||
|
|
||||||
// Some headers to enhance security
|
// Some headers to enhance security
|
||||||
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
|
||||||
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
header('X-XSS-Protection: 1; mode=block'); // Enforce browser based XSS filters
|
||||||
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
header('X-Content-Type-Options: nosniff'); // Disable sniffing the content type for IE
|
||||||
|
|
||||||
|
// iFrame Restriction Policy
|
||||||
|
$xFramePolicy = OC_Config::getValue('xframe_restriction', true);
|
||||||
|
if($xFramePolicy) {
|
||||||
|
header('X-Frame-Options: Sameorigin'); // Disallow iFraming from other domains
|
||||||
|
}
|
||||||
|
|
||||||
// Content Security Policy
|
// Content Security Policy
|
||||||
// If you change the standard policy, please also change it in config.sample.php
|
// If you change the standard policy, please also change it in config.sample.php
|
||||||
$policy = OC_Config::getValue('custom_csp_policy',
|
$policy = OC_Config::getValue('custom_csp_policy',
|
||||||
|
|
Loading…
Reference in New Issue