Make frame options header configurable (#3612)

#### What type of PR is this? /kind feature /area core #### What this PR does / why we need it: See https://github.com/halo-dev/halo/issues/3605#issuecomment-1486509473 for more. #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/3605 #### Special notes for your reviewer: #### Does this PR introduce a user-facing change? ```release-note 提供配置以控制能否被 iframe 引用 ```
2023-03-29 14:56:13 +08:00 · 2023-03-29 14:56:13 +08:00 · b846a05276
parent c9a5a01bf1
commit b846a05276
2 changed files with 20 additions and 3 deletions
--- a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
+++ b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java
@ -2,7 +2,6 @@ package run.halo.app.config;

 import static org.springframework.security.config.Customizer.withDefaults;
 import static org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN;
-import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN;
 import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers;

 import java.util.Set;
@ -81,7 +80,8 @@ public class WebServerSecurityConfig {
    @Bean
    @Order(Ordered.HIGHEST_PRECEDENCE + 1)
    SecurityWebFilterChain portalFilterChain(ServerHttpSecurity http,
-        ServerSecurityContextRepository securityContextRepository) {
+        ServerSecurityContextRepository securityContextRepository,
+        HaloProperties haloProperties) {
        var pathMatcher = pathMatchers(HttpMethod.GET, "/**");
        var mediaTypeMatcher = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML);
        mediaTypeMatcher.setIgnoredMediaTypes(Set.of(MediaType.ALL));
@ -89,7 +89,13 @@ public class WebServerSecurityConfig {
            .authorizeExchange().anyExchange().permitAll().and()
            .securityContextRepository(securityContextRepository)
            .headers()
-            .frameOptions().mode(SAMEORIGIN)
+            .frameOptions(spec -> {
+                var frameOptions = haloProperties.getSecurity().getFrameOptions();
+                spec.mode(frameOptions.getMode());
+                if (frameOptions.isDisabled()) {
+                    spec.disable();
+                }
+            })
            .referrerPolicy().policy(STRICT_ORIGIN_WHEN_CROSS_ORIGIN).and()
            .cache().disable().and()
            .anonymous(spec -> spec.authenticationFilter(
--- a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
+++ b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java
@ -1,12 +1,23 @@
 package run.halo.app.infra.properties;

 import lombok.Data;
+import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode;

@Data
 public class SecurityProperties {

    private final Initializer initializer = new Initializer();

+    private final FrameOptions frameOptions = new FrameOptions();
+
+    @Data
+    public static class FrameOptions {
+
+        private boolean disabled;
+
+        private Mode mode = Mode.SAMEORIGIN;
+    }
+
    @Data
    public static class Initializer {