From e51091f199a0c8429693ff8341877dce731e7d7f Mon Sep 17 00:00:00 2001
From: Vinoth Kannan <svkn.87@gmail.com>
Date: Fri, 6 Dec 2019 18:25:32 +0530
Subject: [PATCH] REFACTOR: do `X-Frame-Options` header removal in application
 controller.

Co-authored-by: Sam <sam.saffron@gmail.com>
Previous commit: f7084a4339e2667f644cffcfea61cc3c69521bec
---
 app/controllers/application_controller.rb  |  7 +++++++
 config/initializers/011-rack-protection.rb |  5 -----
 lib/middleware/frame_options.rb            | 15 ---------------
 3 files changed, 7 insertions(+), 20 deletions(-)
 delete mode 100644 config/initializers/011-rack-protection.rb
 delete mode 100644 lib/middleware/frame_options.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f843ddc7e03..48ce0506c94 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -43,6 +43,7 @@ class ApplicationController < ActionController::Base
   after_action  :add_readonly_header
   after_action  :perform_refresh_session
   after_action  :dont_cache_page
+  after_action  :conditionally_allow_site_embedding
 
   layout :set_layout
 
@@ -87,6 +88,12 @@ class ApplicationController < ActionController::Base
     end
   end
 
+  def conditionally_allow_site_embedding
+    if SiteSetting.allow_embedding_site_in_an_iframe
+      response.headers.delete('X-Frame-Options')
+    end
+  end
+
   def set_layout
     case request.headers["Discourse-Render"]
     when "desktop"
diff --git a/config/initializers/011-rack-protection.rb b/config/initializers/011-rack-protection.rb
deleted file mode 100644
index 1b740d1c534..00000000000
--- a/config/initializers/011-rack-protection.rb
+++ /dev/null
@@ -1,5 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack/protection'
-
-Rails.configuration.middleware.use Middleware::FrameOptions
diff --git a/lib/middleware/frame_options.rb b/lib/middleware/frame_options.rb
deleted file mode 100644
index baceaeb6640..00000000000
--- a/lib/middleware/frame_options.rb
+++ /dev/null
@@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-module Middleware
-  class FrameOptions
-    def initialize(app, settings = {})
-      @app = app
-    end
-
-    def call(env)
-      status, headers, body = @app.call(env)
-      headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe
-      [status, headers, body]
-    end
-  end
-end