-
JediKev authored
Previously, we added a security header to prevent click-jacking called "X-Frame-Options". This introduced an issue with people using osTicket in iFrames on their websites. To mitigate the issue, this updates the security header to allow the site to be framed from specified domains, if none provided we default to 'self'. This adds a new field to General System Settings called "Allow iFrames" where you may enter a comma separated list of domains that the site can be framed on. This also adds a validator for the field to validate the domains and ensure they fit the <host-source> syntax from [Mozilla Developer Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#Sources).
JediKev authoredPreviously, we added a security header to prevent click-jacking called "X-Frame-Options". This introduced an issue with people using osTicket in iFrames on their websites. To mitigate the issue, this updates the security header to allow the site to be framed from specified domains, if none provided we default to 'self'. This adds a new field to General System Settings called "Allow iFrames" where you may enter a comma separated list of domains that the site can be framed on. This also adds a validator for the field to validate the domains and ensure they fit the <host-source> syntax from [Mozilla Developer Docs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors#Sources).
