diff --git a/.env.example b/.env.example index 3dbe69bffb..13b742f066 100644 --- a/.env.example +++ b/.env.example @@ -75,3 +75,4 @@ APP_LOG=single APP_LOCKED=false FILESYSTEM_DISK=local APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1 +ALLOW_IFRAMING=false diff --git a/app/Http/Middleware/FrameGuard.php b/app/Http/Middleware/FrameGuard.php index 7e9795a1fe..beb19f20f1 100644 --- a/app/Http/Middleware/FrameGuard.php +++ b/app/Http/Middleware/FrameGuard.php @@ -15,7 +15,10 @@ class FrameGuard public function handle($request, Closure $next) { $response = $next($request); - $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false); + if (config('app.allow_iframing') == false) { + $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false); + } return $response; + } } diff --git a/config/app.php b/config/app.php index 0b7a0e3c5d..0535a49e4b 100644 --- a/config/app.php +++ b/config/app.php @@ -127,6 +127,20 @@ return [ 'private_uploads' => storage_path().'/private_uploads', + /* + |-------------------------------------------------------------------------- + | ALLOW I-FRAMING + |-------------------------------------------------------------------------- + | + | Normal users will never need to edit this. This option lets you run + | Snipe-IT within an I-Frame, which is normally disabled by default for + | security reasons, to prevent clickjacking. It should normally be set to false. + | + */ + + 'allow_iframing' => env('ALLOW_IFRAMING', false), + + /* |-------------------------------------------------------------------------- | Demo Mode Lockdown @@ -140,7 +154,6 @@ return [ 'lock_passwords' => env('APP_LOCKED', false), - /* |-------------------------------------------------------------------------- | Autoloaded Service Providers diff --git a/docker.env b/docker.env index 4f48132d21..442f5c08ed 100644 --- a/docker.env +++ b/docker.env @@ -22,3 +22,5 @@ APP_KEY=Y5hJeC7x1i7OxhDrvrQPlB9KvCorvRdO APP_URL=http://127.0.0.1:32782 APP_TIMEZONE=US/Pacific APP_LOCALE=en + +ALLOW_IFRAMING=false