Allow X-Frame-Options to be disabled via env if necessary

.env.example

@@ -75,3 +75,4 @@ APP_LOG=single
 APP_LOCKED=false
 FILESYSTEM_DISK=local
 APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
+ALLOW_IFRAMING=false

app/Http/Middleware/FrameGuard.php

@@ -15,7 +15,10 @@ class FrameGuard
     public function handle($request, Closure $next)
     {
         $response = $next($request);
-        $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+        if (config('app.allow_iframing') == false) {
+            $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+        }
         return $response;
+
     }
 }

config/app.php

@@ -127,6 +127,20 @@ return [
     'private_uploads' => storage_path().'/private_uploads',
 
 
+    /*
+    |--------------------------------------------------------------------------
+    | ALLOW I-FRAMING
+    |--------------------------------------------------------------------------
+    |
+    | Normal users will never need to edit this. This option lets you run
+    | Snipe-IT within an I-Frame, which is normally disabled by default for
+    | security reasons, to prevent clickjacking. It should normally be set to false.
+    |
+    */
+
+    'allow_iframing' => env('ALLOW_IFRAMING', false),
+
+
     /*
     |--------------------------------------------------------------------------
     | Demo Mode Lockdown
@@ -140,7 +154,6 @@ return [
     'lock_passwords' => env('APP_LOCKED', false),
 
 
-
     /*
     |--------------------------------------------------------------------------
     | Autoloaded Service Providers

docker.env

@@ -22,3 +22,5 @@ APP_KEY=Y5hJeC7x1i7OxhDrvrQPlB9KvCorvRdO
 APP_URL=http://127.0.0.1:32782
 APP_TIMEZONE=US/Pacific
 APP_LOCALE=en
+
+ALLOW_IFRAMING=false