Proposal : Permit modification of X-FRAME-OPTIONS headers

[Noctisae]

Hello,

I'd like to file a proposal concerning the HTTP headers sent by Gitea, due to a specific user case I'm running into.

Currently, Gitea always send the HTTP header "X-FRAME-OPTIONS" with the value "SAMEORIGIN" in all requests, which is a good security practice. However, I'm currently running into a case where I need to set this header to a value like "ALLOW-FROM <external_site>", to permit framing Gitea inside a portal I'm currently working on. Because I do not have control over the proxy serving Gitea, one of the solution I have is to set the header from Gitea directly. I could also mount a proxy on the same machine as Gitea to have this proxy serve the right headers instead of Gitea, but (in my view) this solution is a complicated workaround of a otherwise easy to fix issue.

I'm proposing to permit the configuration of this specific header with a line inside the app.ini, with a default value of SAMEORIGIN (to ensure the default behavior of Gitea isn't modified with the proposed change). This way, anyone could set the value of this header to the value which suits their need, without compromising the default security of the solution. I do understand my case is uncommon, but I think this evolution could be implemented very easily (due to the fact that I've already done it on my part). I can propose the PR if interested.

Thoughts?

[STaRDoGG]

I'd like to be able to individually control the sameorigin header as well; perhaps per repo?

My use case:

• I'm running Gitea locally via docker on a LAN machine.
• I also own a public website, and in a post on it, I want to iframe the raw code of one repo (in this case just a single file in the repo; a .css file) on the local Gitea machine. This way, if/when I ever update the source code locally it'll always fetch the latest version of that code within the iframe of that post.

Currently I can't due to the sameorigin header. If I could disable that header for that specific file or repo, then I'd be able to accomplish this.

[jap1968]

Same problem here. I am running gitea and swagger editor in two different containers. I would like to load a .yaml file from gitea into the editor. Swagger complains about CORS blocking the request, but maybe the real problem is the X-FRAME-OPTIONS header.

[lafriks]

CORS has different headers that need to be added to allow cross origin requests

[spasche]

I agree that having a way to control X-Frame-Options header at the application level would be useful.

If you use nginx as a reverse proxy, it's possible to override it there (credits to https://serverfault.com/a/982013):

server {
    server_name gitea.example.com;
    [...]
    location / {
        proxy_pass http://gitea:8080;

        proxy_hide_header X-Frame-Options;
        add_header X-Frame-Options "allow-from https://trusted.example.com/" always;
    }
}