Move X_FRAME_OPTIONS setting from cors to security section (#30256)
## Summary - Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old location still works with a deprecation warning) - Support `"unset"` as a special value to remove the `X-Frame-Options` header entirely - Remove `X-Frame-Options` header from API responses (only set for web/HTML responses) ## Migration If you had customized `cors.X_FRAME_OPTIONS`, move it to the `[security]` section. The old location is deprecated and will be removed in a future release. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
@@ -235,8 +235,6 @@ func APIContexter() func(http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
httpcache.SetCacheControlInHeader(ctx.Resp.Header(), &httpcache.CacheControlOptions{NoTransform: true})
|
||||
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||
|
||||
next.ServeHTTP(ctx.Resp, ctx.Req)
|
||||
})
|
||||
}
|
||||
|
||||
@@ -196,7 +196,10 @@ func Contexter() func(next http.Handler) http.Handler {
|
||||
}
|
||||
|
||||
httpcache.SetCacheControlInHeader(ctx.Resp.Header(), &httpcache.CacheControlOptions{NoTransform: true})
|
||||
ctx.Resp.Header().Set(`X-Frame-Options`, setting.CORSConfig.XFrameOptions)
|
||||
|
||||
if setting.Security.XFrameOptions != "unset" {
|
||||
ctx.Resp.Header().Set(`X-Frame-Options`, setting.Security.XFrameOptions)
|
||||
}
|
||||
|
||||
ctx.Data["SystemConfig"] = setting.Config()
|
||||
|
||||
|
||||
Reference in New Issue
Block a user