clientXFrameOptionsHeaderDisabled

2026-06-28 06:56:05 +00:00 · 2022-12-01 12:28:04 +02:00
parent b02e1218ee
commit cf0e5bb328
1 changed files with 10 additions and 1 deletions
--- a/application/Espo/Core/Utils/ClientManager.php
+++ b/application/Espo/Core/Utils/ClientManager.php
@@ -104,13 +104,22 @@ class ClientManager
            return;
        }

-        $response->setHeader('X-Frame-Options', 'SAMEORIGIN');
        $response->setHeader('X-Content-Type-Options', 'nosniff');

+        $this->writeXFrameOptionsHeader($response);
        $this->writeContentSecurityPolicyHeader($response);
        $this->writeStrictTransportSecurityHeader($response);
    }

+    private function writeXFrameOptionsHeader(Response $response): void
+    {
+        if ($this->config->get('clientXFrameOptionsHeaderDisabled')) {
+            return;
+        }
+
+        $response->setHeader('X-Frame-Options', 'SAMEORIGIN');
+    }
+
    private function writeContentSecurityPolicyHeader(Response $response): void
    {
        if ($this->config->get('clientCspDisabled')) {