[FIXED JENKINS-21881] System property for disabling X-Frame-Options

fc78fdee · Daniel Beck · aa7f0a93 · fc78fdee · fc78fdee · fc78fdee
3 changed file
--- a/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
+++ b/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
+package jenkins.security;
+
+import hudson.Extension;
+import hudson.model.PageDecorator;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Adds the 'X-Frame-Options' header to all web pages.
+ *
+ * @since TODO
+ */
+@Extension(ordinal = 1000)
+public class FrameOptionsPageDecorator extends PageDecorator {
+    @Restricted(NoExternalUse.class)
+    public static boolean enabled = Boolean.valueOf(System.getProperty(FrameOptionsPageDecorator.class.getName() + ".enabled", "true"));
+}
--- a/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
+++ b/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
+    <j:if test="${it.enabled}">
+        <st:header name="X-Frame-Options" value="sameorigin"/>
+    </j:if>
+</j:jelly>
\ No newline at end of file
--- a/core/src/main/resources/lib/layout/layout.jelly
+++ b/core/src/main/resources/lib/layout/layout.jelly
@@ -56,7 +56,6 @@ THE SOFTWARE.
 <st:setHeader name="Expires" value="0" />
 <st:setHeader name="Cache-Control" value="no-cache,no-store,must-revalidate" />
 <st:setHeader name="X-Hudson-Theme" value="default" />
-<st:setHeader name="X-Frame-Options" value="sameorigin" />
 <st:contentType value="text/html;charset=UTF-8" />

  <j:new var="h" className="hudson.Functions" /><!-- instead of JSP functions -->