Skip to content

Move X_FRAME_OPTIONS setting from cors to security section#30256

Merged
silverwind merged 20 commits intogo-gitea:mainfrom
silverwind:xfo
Feb 22, 2026
Merged

Move X_FRAME_OPTIONS setting from cors to security section#30256
silverwind merged 20 commits intogo-gitea:mainfrom
silverwind:xfo

Conversation

@silverwind
Copy link
Copy Markdown
Member

@silverwind silverwind commented Apr 2, 2024
edited
Loading

Summary

  • Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS (old location still works with a deprecation warning)
  • Support "unset" as a special value to remove the X-Frame-Options header entirely
  • Remove X-Frame-Options header from API responses (only set for web/HTML responses)

Migration

If you had customized cors.X_FRAME_OPTIONS, move it to the [security] section. The old location is deprecated and will be removed in a future release.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Apr 2, 2024
@silverwind silverwind added the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Apr 2, 2024
@github-actions github-actions bot added modifies/go Pull requests that update Go code modifies/docs labels Apr 2, 2024
@silverwind silverwind added the type/enhancement An improvement of existing functionality label Apr 2, 2024
@silverwind silverwind changed the title Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add falseoption Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS and add false option Apr 2, 2024
@pull-request-size pull-request-size bot added size/M and removed size/S labels Apr 2, 2024
@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Apr 3, 2024
edited
Loading

BTW, the reason I investigated this is to set a default CSP header. CSP does include a frame-ancestors directive that obsoletes X-Frame-Options, so I guess we could avoid double breaking changes by moving the option to CSP in this PR with a option like security.CSP_FRAME_ANCHESTORS.

@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Apr 3, 2024

I guess it's alright to merge this as-is. If we introduce CSP later, we can change the default of this value to false. CSP is a bigger topic that I want to do in a separate PR.

@lunny
Copy link
Copy Markdown
Member

lunny commented Apr 3, 2024

Maybe we should have a warning if we detect the old value and have some warning on the admin panel.

@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Apr 3, 2024

Maybe we should have a warning if we detect the old value and have some warning on the admin panel.

Should be possible. Any pointers where this warning code is?

@lunny
Copy link
Copy Markdown
Member

lunny commented Apr 3, 2024

You can use deprecatedSetting function, you can search the code and find some examples.

@silverwind silverwind marked this pull request as draft April 4, 2024 21:33
silverwind and others added 3 commits February 14, 2026 20:21
@silverwind
Merge remote-tracking branch 'origin/main' into xfo
d5f17b4 
* origin/main: (2555 commits)
  automate updating nix flakes (go-gitea#35641)
  Update AGENTS.md instructions (go-gitea#36627)
  use user id in noreply emails (go-gitea#36550)
  feat(db): Improve BuildCaseInsensitiveLike with lowercase (go-gitea#36598)
  [skip ci] Updated translations via Crowdin
  BUG: Fix workflow run jobs API returning null steps (go-gitea#36603)
  Refactor highlight and diff (go-gitea#36599)
  Fix bug when do LFS GC (go-gitea#36500)
  feature to be able to filter project boards by milestones (go-gitea#36321)
  Update emoji data for Unicode 16 (go-gitea#36596)
  Adapt monaco error matching pattern to recent webpack config change (go-gitea#36533)
  Fix a bug user could change another user's primary email (go-gitea#36586)
  fix(repo-editor): disable Monaco `editContext` to avoid bugs with lost focus (go-gitea#36585)
  Fine tune diff highlighting (go-gitea#36592)
  Add code editor setting dropdowns (go-gitea#36534)
  Update to go 1.26.0 and golangci-lint 2.9.0 (go-gitea#36588)
  Improve diff highlighting (go-gitea#36583)
  Fix markup code block layout (go-gitea#36578)
  Remove striped tables in UI (go-gitea#36509)
  Fix vertical alignment of `.commit-sign-badge` children (go-gitea#36570)
  ...

# Conflicts:
#	custom/conf/app.example.ini
#	docs/content/administration/config-cheat-sheet.en-us.md
#	docs/content/administration/config-cheat-sheet.zh-cn.md
#	modules/setting/security.go
#	routers/common/errpage.go
#	services/context/api.go
#	services/context/context.go
@silverwind @claude
Move cors.X_FRAME_OPTIONS to security.X_FRAME_OPTIONS with deprec…
b421e56 
…ation warning

Use `deprecatedSetting` to warn when the old `[cors].X_FRAME_OPTIONS`
config option is still present, with fallback to read from the old
location. Update deprecation target to v1.26.0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@silverwind @claude
Fix duplicate startup warnings caused by double settings load
c978d05 
Clear `StartupProblems` at the start of `LoadCommonSettings` to prevent
duplicate warnings. The function is called twice during web server
startup (early init in cmd/main.go and again in cmd/web.go), causing
every deprecatedSetting warning to appear twice in the admin panel.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@github-actions github-actions bot added docs-update-needed The document needs to be updated synchronously and removed modifies/docs labels Feb 14, 2026
@silverwind silverwind marked this pull request as ready for review February 14, 2026 19:28
@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Feb 14, 2026
edited
Loading

Updated and addressed all comments.

There is a pre-existing bug that results in all startup warnings to be shown twice in the UI, I opened #36630 for it.

@silverwind silverwind mentioned this pull request Feb 14, 2026
Closed
@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Feb 22, 2026

Updated PR title and description. This is no longer breaking, the old location is being deprecated but still works.

TheFox0x7
TheFox0x7 reviewed Feb 22, 2026
View reviewed changes
@silverwind silverwind removed the pr/breaking Merging this PR means builds will break. Needs a description what exactly breaks, and how to fix it! label Feb 22, 2026
@wxiaoguang
Copy link
Copy Markdown
Contributor

wxiaoguang commented Feb 22, 2026
edited
Loading

Changes:

  1. Don't set the header to API response, it has no effect in real world (it was just caused by code copy-paste)
  2. Use single config var, no need to introduce unnecessary UseXFrameOptions
  3. Removed the value check, it will just appear in the response header, no need to do more check
  4. Use "unset" instead of "false", "unset" is literally more correct
  5. Fix incorrect config comment: it is for "response", not for "request"

@silverwind silverwind changed the title Move X_FRAME_OPTIONS setting from cors to security section Move X_FRAME_OPTIONS to security section and unify attachment size limits Feb 22, 2026
@silverwind silverwind changed the title Move X_FRAME_OPTIONS to security section and unify attachment size limits Move X_FRAME_OPTIONS setting from cors to security section Feb 22, 2026
@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Feb 22, 2026

PR description updated

@silverwind
Copy link
Copy Markdown
Member Author

silverwind commented Feb 22, 2026

changes are lgtm

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Feb 22, 2026
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Feb 22, 2026
@lunny lunny added this to the 1.26.0 milestone Feb 22, 2026
@silverwind silverwind added the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 22, 2026
@silverwind silverwind enabled auto-merge (squash) February 22, 2026 19:26
@silverwind silverwind merged commit 5f8e19f into go-gitea:main Feb 22, 2026
26 checks passed
@GiteaBot GiteaBot removed the reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. label Feb 22, 2026
zjjhot added a commit to zjjhot/gitea that referenced this pull request Feb 23, 2026
@zjjhot
Merge remote-tracking branch 'giteaofficial/main'
7107f4a 
* giteaofficial/main: (81 commits)
  Add keyboard shortcuts for repository file and code search (go-gitea#36416)
  Refactor text utility classes to Tailwind CSS (go-gitea#36703)
  Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660)
  Fix force push time-line commit comments of pull request (go-gitea#36653)
  Fix get release draft permission check (go-gitea#36659)
  Move `X_FRAME_OPTIONS` setting from `cors` to `security` section (go-gitea#30256)
  Update JS and PY deps (go-gitea#36708)
  Move jobparser from act repository to Gitea (go-gitea#36699)
  Fix push time bug (go-gitea#36693)
  Add icon to buttons "Close with Comment", "Close Pull Request", "Close Issue" (go-gitea#36654)
  various fixes (go-gitea#36697)
  Add AI Contribution Policy to CONTRIBUTING.md (go-gitea#36651)
  Add some validation on values provided to USER_DISABLED_FEATURES and EXTERNAL_USER_DISABLED_FEATURES (go-gitea#36688)
  Rework e2e tests (go-gitea#36634)
  Remove unused functions (go-gitea#36672)
  Add migration http transport for push/sync mirror lfs (go-gitea#36665)
  Fix track time issue id (go-gitea#36664)
  Refactor inline style attributes (go-gitea#36652)
  Update Nix flake (go-gitea#36679)
  Upgrade gogit to 5.16.5 (go-gitea#36680)
  ...

# Conflicts:
#	web_src/js/features/repo-issue-content.ts
silverwind added a commit to silverwind/gitea that referenced this pull request Feb 26, 2026
@silverwind
Merge branch 'main' into dropdowncss
0be7aea 
* main: (24 commits)
  Instance-wide (global) info banner and maintenance mode (go-gitea#36571)
  Add created_by filter to SearchIssues (go-gitea#36670)
  Inline and lazy-load EasyMDE CSS, fix border colors (go-gitea#36714)
  Fix release draft access check logic (go-gitea#36720)
  Change image transparency grid to CSS (go-gitea#36711)
  Avoid opening new tab when downloading actions logs (go-gitea#36740)
  Add validation constraints for repository creation fields (go-gitea#36671)
  Fix SVG height calculation in diff viewer (go-gitea#36748)
  Fix path resolving (go-gitea#36734)
  [skip ci] Updated translations via Crowdin
  Fix track time list permission check (go-gitea#36662)
  Fix incorrect setting loading order (go-gitea#36735)
  Use case-insensitive matching for Git error "Not a valid object name" (go-gitea#36728)
  feat: Add workflow dependencies visualization (go-gitea#36248)
  Add keyboard shortcuts for repository file and code search (go-gitea#36416)
  Refactor text utility classes to Tailwind CSS (go-gitea#36703)
  Prevent redirect bypasses via backslash-encoded paths (go-gitea#36660)
  Fix force push time-line commit comments of pull request (go-gitea#36653)
  Fix get release draft permission check (go-gitea#36659)
  Move `X_FRAME_OPTIONS` setting from `cors` to `security` section (go-gitea#30256)
  ...

# Conflicts:
#	web_src/css/base.css
#	web_src/css/index.css
@silverwind silverwind deleted the xfo branch March 2, 2026 05:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wxiaoguang wxiaoguang wxiaoguang left review comments

@lunny lunny lunny approved these changes

+1 more reviewer

@TheFox0x7 TheFox0x7 TheFox0x7 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

docs-update-needed The document needs to be updated synchronously lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. modifies/go Pull requests that update Go code type/enhancement An improvement of existing functionality

Projects

None yet

Milestone

1.26.0

Development

Successfully merging this pull request may close these issues.

6 participants

@silverwind @lunny @TheFox0x7 @wxiaoguang @techknowlogick @GiteaBot