REFACTOR: do `X-Frame-Options` header removal in application controller.

Co-authored-by: Sam <sam.saffron@gmail.com> Previous commit: f7084a4339
2019-12-06 18:25:32 +05:30 · 2019-12-06 18:25:32 +05:30 · e51091f199
parent c88797bf0e
commit e51091f199
3 changed files with 7 additions and 20 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -43,6 +43,7 @@ class ApplicationController < ActionController::Base
  after_action  :add_readonly_header
  after_action  :perform_refresh_session
  after_action  :dont_cache_page
+  after_action  :conditionally_allow_site_embedding

  layout :set_layout

@ -87,6 +88,12 @@ class ApplicationController < ActionController::Base
    end
  end

+  def conditionally_allow_site_embedding
+    if SiteSetting.allow_embedding_site_in_an_iframe
+      response.headers.delete('X-Frame-Options')
+    end
+  end
+
  def set_layout
    case request.headers["Discourse-Render"]
    when "desktop"
--- a/config/initializers/011-rack-protection.rb
+++ b/config/initializers/011-rack-protection.rb
@ -1,5 +0,0 @@
-# frozen_string_literal: true
-
-require 'rack/protection'
-
-Rails.configuration.middleware.use Middleware::FrameOptions
--- a/lib/middleware/frame_options.rb
+++ b/lib/middleware/frame_options.rb
@ -1,15 +0,0 @@
-# frozen_string_literal: true
-
-module Middleware
-  class FrameOptions
-    def initialize(app, settings = {})
-      @app = app
-    end
-
-    def call(env)
-      status, headers, body = @app.call(env)
-      headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe
-      [status, headers, body]
-    end
-  end
-end