Allow X-FRAME-OPTIONS to be set in config.py. Default to SAMEORIGIN. Fixes #3439

DENY cannot be supported without breaking the debugger and query tool.
2025-02-25 18:55:31 -06:00 · 2019-02-12 16:17:14 +00:00
parent 1fc66406f5
commit f72dcc23ea
3 changed files with 12 additions and 0 deletions
--- a/web/pgadmin/init.py
+++ b/web/pgadmin/init.py
@@ -630,6 +630,11 @@ def create_app(app_name=None):
                                path=config.COOKIE_DEFAULT_PATH,
                                **domain)

+        # X-Frame-Options for security
+        if config.X_FRAME_OPTIONS != "" and \
+                config.X_FRAME_OPTIONS.lower() != "deny":
+            response.headers["X-Frame-Options"] = config.X_FRAME_OPTIONS
+
        return response

    ##########################################################################