API Allow X-Frame-Options to be configured

Fixes #2970

admin/code/LeftAndMain.php

@@ -164,6 +164,14 @@ class LeftAndMain extends Controller implements PermissionProvider {
 	 */
 	private static $session_keepalive_ping = true;
 
+	/**
+	 * Value of X-Frame-Options header
+	 *
+	 * @config
+	 * @var string
+	 */
+	private static $frame_options = 'SAMEORIGIN';
+
 	/**
 	 * @var PjaxResponseNegotiator
 	 */
@@ -470,7 +478,7 @@ class LeftAndMain extends Controller implements PermissionProvider {
 
 		// Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
 		$originalResponse = $this->getResponse();
-		$originalResponse->addHeader('X-Frame-Options', 'SAMEORIGIN');
+		$originalResponse->addHeader('X-Frame-Options', $this->config()->frame_options);
 		$originalResponse->addHeader('Vary', 'X-Requested-With');
 
 		return $response;

security/Security.php

@@ -138,6 +138,14 @@ class Security extends Controller implements TemplateGlobalProvider {
 	 */
 	private static $lost_password_url = "Security/lostpassword";
 
+	/**
+	 * Value of X-Frame-Options header
+	 *
+	 * @config
+	 * @var string
+	 */
+	private static $frame_options = 'SAMEORIGIN';
+
 	/**
 	 * Get location of word list file
 	 *
@@ -317,7 +325,7 @@ class Security extends Controller implements TemplateGlobalProvider {
 		parent::init();
 
 		// Prevent clickjacking, see https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
-		$this->getResponse()->addHeader('X-Frame-Options', 'SAMEORIGIN');
+		$this->getResponse()->addHeader('X-Frame-Options', $this->config()->frame_options);
 	}
 
 	public function index() {