Allow X-FRAME-OPTIONS to be set in config.py. Default to SAMEORIGIN. Fixes #3439

DENY cannot be supported without breaking the debugger and query tool.
2019-02-12 16:17:14 +00:00 · 2019-02-12 16:17:14 +00:00 · f72dcc23ea
parent 1fc66406f5
commit f72dcc23ea
3 changed files with 12 additions and 0 deletions
--- a/docs/en_US/release_notes_4_3.rst
+++ b/docs/en_US/release_notes_4_3.rst
@ -10,6 +10,7 @@ Features
 ********

 | `Feature #1825 <https://redmine.postgresql.org/issues/1825>`_ - Install a script to start pgAdmin (pgadmin4) from the command line when installed from the Python wheel.
+| `Feature #3439 <https://redmine.postgresql.org/issues/3439>`_ - Allow X-FRAME-OPTIONS to be set for security. Default to SAMEORIGIN.

 Bug fixes
 *********
--- a/web/config.py
+++ b/web/config.py
@ -144,6 +144,12 @@ DEFAULT_SERVER_PORT = 5050
 # Enable CSRF protection?
 CSRF_ENABLED = True

+# Enable X-Frame-Option protection.
+# Set to one of "SAMEORIGIN", "ALLOW-FROM origin" or "" to disable.
+# Note that "DENY" is NOT supported (and will be silently ignored).
+# See https://tools.ietf.org/html/rfc7034 for more info.
+X_FRAME_OPTIONS = "SAMEORIGIN"
+
 # Hashing algorithm used for password storage
 SECURITY_PASSWORD_HASH = 'pbkdf2_sha512'

--- a/web/pgadmin/init.py
+++ b/web/pgadmin/init.py
@ -630,6 +630,11 @@ def create_app(app_name=None):
                                path=config.COOKIE_DEFAULT_PATH,
                                **domain)

+        # X-Frame-Options for security
+        if config.X_FRAME_OPTIONS != "" and \
+                config.X_FRAME_OPTIONS.lower() != "deny":
+            response.headers["X-Frame-Options"] = config.X_FRAME_OPTIONS
+
        return response

    ##########################################################################