test/gitea-mirror
1
0
Fork 0
mirror of https://gitea.com/gitea/gitea-mirror.git synced 2026-03-20 11:50:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Move X_FRAME_OPTIONS setting from cors to security section (#30256)

Browse Source 
## Summary

- Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old
location still works with a deprecation warning)
- Support `"unset"` as a special value to remove the `X-Frame-Options`
header entirely
- Remove `X-Frame-Options` header from API responses (only set for
web/HTML responses)

## Migration

If you had customized `cors.X_FRAME_OPTIONS`, move it to the
`[security]` section. The old location is deprecated and will be removed
in a future release.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
This commit is contained in:
silverwind
2026-02-22 21:26:46 +01:00
committed by GitHub
parent fed2d81e88
commit 5f8e19fcef
6 changed files with 27 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
modules/setting/cors.go
View File

@@ -15,13 +15,11 @@ var CORSConfig = struct {
MaxAge time.Duration
AllowCredentials bool
Headers []string
XFrameOptions string
}{
AllowDomain: []string{"*"},
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
Headers: []string{"Content-Type", "User-Agent"},
MaxAge: 10 * time.Minute,
XFrameOptions: "SAMEORIGIN",
AllowDomain: []string{"*"},
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
Headers: []string{"Content-Type", "User-Agent"},
MaxAge: 10 * time.Minute,
}
func loadCorsFrom(rootCfg ConfigProvider) {

13
modules/setting/security.go
View File

@@ -14,6 +14,12 @@ import (
)
// Security settings
var Security = struct {
// TODO: move more settings to this struct in future
XFrameOptions string
}{
XFrameOptions: "SAMEORIGIN",
}
var (
InstallLock bool
@@ -140,6 +146,13 @@ func loadSecurityFrom(rootCfg ConfigProvider) {
PasswordCheckPwn = sec.Key("PASSWORD_CHECK_PWN").MustBool(false)
SuccessfulTokensCacheSize = sec.Key("SUCCESSFUL_TOKENS_CACHE_SIZE").MustInt(20)
deprecatedSetting(rootCfg, "cors", "X_FRAME_OPTIONS", "security", "X_FRAME_OPTIONS", "v1.26.0")
if sec.HasKey("X_FRAME_OPTIONS") {
Security.XFrameOptions = sec.Key("X_FRAME_OPTIONS").MustString(Security.XFrameOptions)
} else {
Security.XFrameOptions = rootCfg.Section("cors").Key("X_FRAME_OPTIONS").MustString(Security.XFrameOptions)
}
twoFactorAuth := sec.Key("TWO_FACTOR_AUTH").String()
switch twoFactorAuth {
case "":