From 3b4a5b8785fff8672abb76fae4325c49b7ffca26 Mon Sep 17 00:00:00 2001
From: advplyr <advplyr@protonmail.com>
Date: Fri, 6 Dec 2024 17:17:32 -0600
Subject: [PATCH] Support ALLOW_IFRAME env variable to not include
 frame-ancestors header #3684

---
 index.js         | 1 +
 server/Server.js | 7 +++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index de1ed5c302..9a0be347cc 100644
--- a/index.js
+++ b/index.js
@@ -11,6 +11,7 @@ if (isDev) {
   if (devEnv.FFProbePath) process.env.FFPROBE_PATH = devEnv.FFProbePath
   if (devEnv.NunicodePath) process.env.NUSQLITE3_PATH = devEnv.NunicodePath
   if (devEnv.SkipBinariesCheck) process.env.SKIP_BINARIES_CHECK = '1'
+  if (devEnv.AllowIframe) process.env.ALLOW_IFRAME = '1'
   if (devEnv.BackupPath) process.env.BACKUP_PATH = devEnv.BackupPath
   process.env.SOURCE = 'local'
   process.env.ROUTER_BASE_PATH = devEnv.RouterBasePath || ''
diff --git a/server/Server.js b/server/Server.js
index 9153ab0921..cd96733e98 100644
--- a/server/Server.js
+++ b/server/Server.js
@@ -53,6 +53,7 @@ class Server {
     global.RouterBasePath = ROUTER_BASE_PATH
     global.XAccel = process.env.USE_X_ACCEL
     global.AllowCors = process.env.ALLOW_CORS === '1'
+    global.AllowIframe = process.env.ALLOW_IFRAME === '1'
     global.DisableSsrfRequestFilter = process.env.DISABLE_SSRF_REQUEST_FILTER === '1'
 
     if (!fs.pathExistsSync(global.ConfigPath)) {
@@ -194,8 +195,10 @@ class Server {
     const app = express()
 
     app.use((req, res, next) => {
-      // Prevent clickjacking by disallowing iframes
-      res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
+      if (!global.AllowIframe) {
+        // Prevent clickjacking by disallowing iframes
+        res.setHeader('Content-Security-Policy', "frame-ancestors 'self'")
+      }
 
       /**
        * @temporary