Allow X-Frame-Options to be disabled via env if necessary

snipe · Aug 30, 2016 · 64cd4fb · 64cd4fb
1 parent 276e0a7
commit 64cd4fb
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 2 deletions.
diff --git a/.env.example b/.env.example
@@ -75,3 +75,4 @@ APP_LOG=single
 APP_LOCKED=false
 FILESYSTEM_DISK=local
 APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
+ALLOW_IFRAMING=false
diff --git a/app/Http/Middleware/FrameGuard.php b/app/Http/Middleware/FrameGuard.php
@@ -15,7 +15,10 @@ class FrameGuard
  public function handle($request, Closure $next)
  {
  $response = $next($request);
- $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+ if (config('app.allow_iframing') == false) {
+ $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+ }
  return $response;
+
  }
 }
diff --git a/config/app.php b/config/app.php
@@ -127,6 +127,20 @@
  'private_uploads' => storage_path().'/private_uploads',
 
 
+ /*
+ |--------------------------------------------------------------------------
+ | ALLOW I-FRAMING
+ |--------------------------------------------------------------------------
+ |
+ | Normal users will never need to edit this. This option lets you run
+ | Snipe-IT within an I-Frame, which is normally disabled by default for
+ | security reasons, to prevent clickjacking. It should normally be set to false.
+ |
+ */
+
+ 'allow_iframing' => env('ALLOW_IFRAMING', false),
+
+
  /*
  |--------------------------------------------------------------------------
  | Demo Mode Lockdown
@@ -140,7 +154,6 @@
  'lock_passwords' => env('APP_LOCKED', false),
 
 
-
  /*
  |--------------------------------------------------------------------------
  | Autoloaded Service Providers

diff --git a/docker.env b/docker.env
@@ -22,3 +22,5 @@ APP_KEY=Y5hJeC7x1i7OxhDrvrQPlB9KvCorvRdO
 APP_URL=http:https://127.0.0.1:32782
 APP_TIMEZONE=US/Pacific
 APP_LOCALE=en
+
+ALLOW_IFRAMING=false