From 64cd4fb1c93226d981cfe944074f95bc9174dd85 Mon Sep 17 00:00:00 2001
From: snipe <snipe@snipe.net>
Date: Mon, 29 Aug 2016 22:57:29 -0700
Subject: [PATCH] Allow X-Frame-Options to be disabled via env if necessary

---
 .env.example                       |  1 +
 app/Http/Middleware/FrameGuard.php |  5 ++++-
 config/app.php                     | 15 ++++++++++++++-
 docker.env                         |  2 ++
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/.env.example b/.env.example
index 3dbe69bffb..13b742f066 100644
--- a/.env.example
+++ b/.env.example
@@ -75,3 +75,4 @@ APP_LOG=single
 APP_LOCKED=false
 FILESYSTEM_DISK=local
 APP_TRUSTED_PROXIES=192.168.1.1,10.0.0.1
+ALLOW_IFRAMING=false
diff --git a/app/Http/Middleware/FrameGuard.php b/app/Http/Middleware/FrameGuard.php
index 7e9795a1fe..beb19f20f1 100644
--- a/app/Http/Middleware/FrameGuard.php
+++ b/app/Http/Middleware/FrameGuard.php
@@ -15,7 +15,10 @@ class FrameGuard
     public function handle($request, Closure $next)
     {
         $response = $next($request);
-        $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+        if (config('app.allow_iframing') == false) {
+            $response->headers->set('X-Frame-Options', 'SAMEORIGIN', false);
+        }
         return $response;
+
     }
 }
diff --git a/config/app.php b/config/app.php
index 0b7a0e3c5d..0535a49e4b 100644
--- a/config/app.php
+++ b/config/app.php
@@ -127,6 +127,20 @@ return [
     'private_uploads' => storage_path().'/private_uploads',
 
 
+    /*
+    |--------------------------------------------------------------------------
+    | ALLOW I-FRAMING
+    |--------------------------------------------------------------------------
+    |
+    | Normal users will never need to edit this. This option lets you run
+    | Snipe-IT within an I-Frame, which is normally disabled by default for
+    | security reasons, to prevent clickjacking. It should normally be set to false.
+    |
+    */
+
+    'allow_iframing' => env('ALLOW_IFRAMING', false),
+
+
     /*
     |--------------------------------------------------------------------------
     | Demo Mode Lockdown
@@ -140,7 +154,6 @@ return [
     'lock_passwords' => env('APP_LOCKED', false),
 
 
-
     /*
     |--------------------------------------------------------------------------
     | Autoloaded Service Providers
diff --git a/docker.env b/docker.env
index 4f48132d21..442f5c08ed 100644
--- a/docker.env
+++ b/docker.env
@@ -22,3 +22,5 @@ APP_KEY=Y5hJeC7x1i7OxhDrvrQPlB9KvCorvRdO
 APP_URL=http://127.0.0.1:32782
 APP_TIMEZONE=US/Pacific
 APP_LOCALE=en
+
+ALLOW_IFRAMING=false