From 78a284f8a1d88041fb7977861d63b8697407ccaa Mon Sep 17 00:00:00 2001
From: Shane Tomlinson <stomlinson@mozilla.com>
Date: Mon, 16 Jul 2012 10:58:17 +0100
Subject: [PATCH] Make x_frame_options configurable.  Default to DENY.

* Useful for when running unit tests on testmob.org.  Unit tests and code need to be embedded in an iframe.
---
 bin/browserid        | 2 +-
 bin/dbwriter         | 2 +-
 bin/static           | 2 +-
 lib/configuration.js | 4 ++++
 4 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/bin/browserid b/bin/browserid
index f3399bb57..63fb7ac09 100755
--- a/bin/browserid
+++ b/bin/browserid
@@ -87,7 +87,7 @@ if (config.get('scheme') == 'https') {
 // #4 - prevent framing of everything.  content underneath that needs to be
 // framed must explicitly remove the x-frame-options
 app.use(function(req, resp, next) {
-  resp.setHeader('x-frame-options', 'DENY');
+  resp.setHeader('x-frame-options', config.get('x_frame_options'));
   next();
 });
 
diff --git a/bin/dbwriter b/bin/dbwriter
index f50e577de..978873bd4 100755
--- a/bin/dbwriter
+++ b/bin/dbwriter
@@ -69,7 +69,7 @@ if (config.get('scheme') == 'https') {
 // prevent framing of everything.  content underneath that needs to be
 // framed must explicitly remove the x-frame-options
 app.use(function(req, resp, next) {
-  resp.setHeader('x-frame-options', 'DENY');
+  resp.setHeader('x-frame-options', config.get('x_frame_options'));
   next();
 });
 
diff --git a/bin/static b/bin/static
index adbcdedd6..5164b4ed0 100755
--- a/bin/static
+++ b/bin/static
@@ -69,7 +69,7 @@ if (statsd_config && statsd_config.enabled) {
 // #4 - prevent framing of everything.  content underneath that needs to be
 // framed must explicitly remove the x-frame-options
 app.use(function(req, resp, next) {
-  resp.setHeader('x-frame-options', 'DENY');
+  resp.setHeader('x-frame-options', config.get('x_frame_options'));
   next();
 });
 
diff --git a/lib/configuration.js b/lib/configuration.js
index 5d82f914d..e82310ef8 100644
--- a/lib/configuration.js
+++ b/lib/configuration.js
@@ -232,6 +232,10 @@ var conf = module.exports = convict({
     doc: "A mapping of domain names to urls, which maps popular email services to shimmed IDP deployments.",
     format: 'object { } *?',
     env: 'PROXY_IDPS' // JSON text, i.e. {"yahoo.com":"yahoo.login.persona.org"}
+  },
+  x_frame_options: {
+    doc: "By default, do not allow BrowserID to be embedded in an IFRAME",
+    format: 'string = "DENY"'
   }
 });
 
-- 
GitLab