[FIXED JENKINS-21881] System property for disabling X-Frame-Options

jenkinsci · Sep 7, 2014 · fc78fde · fc78fde
1 parent aa7f0a9
commit fc78fde
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 1 deletion.
diff --git a/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java b/core/src/main/java/jenkins/security/FrameOptionsPageDecorator.java
@@ -0,0 +1,17 @@
+package jenkins.security;
+
+import hudson.Extension;
+import hudson.model.PageDecorator;
+import org.kohsuke.accmod.Restricted;
+import org.kohsuke.accmod.restrictions.NoExternalUse;
+
+/**
+ * Adds the 'X-Frame-Options' header to all web pages.
+ *
+ * @since TODO
+ */
+@Extension(ordinal = 1000)
+public class FrameOptionsPageDecorator extends PageDecorator {
+    @Restricted(NoExternalUse.class)
+    public static boolean enabled = Boolean.valueOf(System.getProperty(FrameOptionsPageDecorator.class.getName() + ".enabled", "true"));
+}
diff --git a/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly b/core/src/main/resources/jenkins/security/FrameOptionsPageDecorator/httpHeaders.jelly
@@ -0,0 +1,6 @@
+<?jelly escape-by-default='true'?>
+<j:jelly xmlns:j="jelly:core" xmlns:st="jelly:stapler">
+    <j:if test="${it.enabled}">
+        <st:header name="X-Frame-Options" value="sameorigin"/>
+    </j:if>
+</j:jelly>
diff --git a/core/src/main/resources/lib/layout/layout.jelly b/core/src/main/resources/lib/layout/layout.jelly
@@ -56,7 +56,6 @@ THE SOFTWARE.
 <st:setHeader name="Expires" value="0" />
 <st:setHeader name="Cache-Control" value="no-cache,no-store,must-revalidate" />
 <st:setHeader name="X-Hudson-Theme" value="default" />
-<st:setHeader name="X-Frame-Options" value="sameorigin" />
 <st:contentType value="text/html;charset=UTF-8" />
 
   <j:new var="h" className="hudson.Functions" /><!-- instead of JSP functions -->