tomas/pocketbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

[#677] unset the X-Frame-Options when serving static files to allow files embedding

Browse Source
This commit is contained in:
Gani Georgiev
2022-10-02 13:28:33 +03:00
parent b0db2399b8
commit a6cafd1ed7
13 changed files with 217 additions and 208 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tools/filesystem/filesystem.go
+5
View File
@@ -223,6 +223,11 @@ func (s *System) Serve(response http.ResponseWriter, fileKey string, name string
extContentType = ct
}
// clickjacking shouldn't be a concern when serving static files,
// so it safe to unset the global X-Frame-Options to allow files embedding
// (https://github.com/pocketbase/pocketbase/issues/677)
response.Header().Del("X-Frame-Options")
response.Header().Set("Content-Disposition", disposition+"; filename="+name)
response.Header().Set("Content-Type", extContentType)
response.Header().Set("Content-Length", strconv.FormatInt(r.Size(), 10))
tools/filesystem/filesystem_test.go
+4
View File
@@ -240,6 +240,10 @@ func TestFileSystemServe(t *testing.T) {
t.Errorf("(%s) Expected value %q for header %q, got %q", scenario.path, hValue, hName, v)
}
}
if v := result.Header.Get("X-Frame-Options"); v != "" {
t.Errorf("(%s) Expected the X-Frame-Options header to be unset, got %v", scenario.path, v)
}
}
}