mirror of
https://github.com/go-gitea/gitea.git
synced 2026-02-28 09:31:05 +01:00
5f8e19fcef
## Summary - Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old location still works with a deprecation warning) - Support `"unset"` as a special value to remove the `X-Frame-Options` header entirely - Remove `X-Frame-Options` header from API responses (only set for web/HTML responses) ## Migration If you had customized `cors.X_FRAME_OPTIONS`, move it to the `[security]` section. The old location is deprecated and will be removed in a future release. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
28 lines
811 B
Go
28 lines
811 B
Go
// Copyright 2019 The Gitea Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
|
|
package setting
|
|
|
|
import (
|
|
"time"
|
|
)
|
|
|
|
// CORSConfig defines CORS settings
|
|
var CORSConfig = struct {
|
|
Enabled bool
|
|
AllowDomain []string // FIXME: this option is from legacy code, it actually works as "AllowedOrigins". When refactoring in the future, the config option should also be renamed together.
|
|
Methods []string
|
|
MaxAge time.Duration
|
|
AllowCredentials bool
|
|
Headers []string
|
|
}{
|
|
AllowDomain: []string{"*"},
|
|
Methods: []string{"GET", "HEAD", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"},
|
|
Headers: []string{"Content-Type", "User-Agent"},
|
|
MaxAge: 10 * time.Minute,
|
|
}
|
|
|
|
func loadCorsFrom(rootCfg ConfigProvider) {
|
|
mustMapSetting(rootCfg, "cors", &CORSConfig)
|
|
}
|