Description
Hello,
I'd like to file a proposal concerning the HTTP headers sent by Gitea, due to a specific user case I'm running into.
Currently, Gitea always send the HTTP header "X-FRAME-OPTIONS" with the value "SAMEORIGIN" in all requests, which is a good security practice. However, I'm currently running into a case where I need to set this header to a value like "ALLOW-FROM <external_site>", to permit framing Gitea inside a portal I'm currently working on. Because I do not have control over the proxy serving Gitea, one of the solution I have is to set the header from Gitea directly. I could also mount a proxy on the same machine as Gitea to have this proxy serve the right headers instead of Gitea, but (in my view) this solution is a complicated workaround of a otherwise easy to fix issue.
I'm proposing to permit the configuration of this specific header with a line inside the app.ini, with a default value of SAMEORIGIN (to ensure the default behavior of Gitea isn't modified with the proposed change). This way, anyone could set the value of this header to the value which suits their need, without compromising the default security of the solution. I do understand my case is uncommon, but I think this evolution could be implemented very easily (due to the fact that I've already done it on my part). I can propose the PR if interested.
Thoughts?