Support for the X-Frame-Origin response header.

Author: Pierre Buyle

README.md

@@ -74,6 +74,10 @@ The following variables are available to configure the role:
   servers, defaults to ```["unix:/var/run/php-fpm-bkp.sock"]```.
 - **nginx_drupal_language_path_prefixes**: (optional) The list of enabled
   language path prefixes used on the site.
+- **nginx_drupal_x_frame_options**: (optional) Value of the X-Frame-Options
+  response header, defaults to `DENY`. If the site uses frames, set to
+  `SAMEORIGIN`. `DENY` may conflicts with pseudo streaming (at least with Nginx
+  version 1.0.12)
 - **nginx_drupal_sites**: The list of available sites.
     Each site uses the following structure:
     - **file_name**: The name of the site configuration file.

defaults/main.yml

@@ -29,4 +29,5 @@ nginx_drupal_upstream_backup_servers: ["unix:/var/run/php-fpm-bkp.sock"]
 nginx_drupal_sites: none
 nginx_drupal_http_pre_includes: []
 nginx_drupal_http_post_includes: []
-nginx_drupal_language_path_prefixes: []
+nginx_drupal_language_path_prefixes: []
+nginx_drupal_x_frame_options: DENY

templates/nginx.j2

@@ -160,16 +160,13 @@ http {
     ## https://www.owasp.org/index.php/List_of_useful_HTTP_headers.
     add_header X-XSS-Protection '1; mode=block';
 
+    {% if nginx_drupal_x_frame_options %}
     ## Enable clickjacking protection in modern browsers. Available in
     ## IE8 also. See
     ## https://developer.mozilla.org/en/The_X-FRAME-OPTIONS_response_header
     ## This may conflicts with pseudo streaming (at least with Nginx version 1.0.12).
-    ## Uncomment the line below if you're not using media streaming.
-    ## For sites being framing on the same domqin uncomment the line below.
-    #add_header X-Frame-Options SAMEORIGIN;
-    ## For sites accepting to be framed in any context comment the
-    ## line below.
-    add_header X-Frame-Options DENY;
+    add_header X-Frame-Options {{ nginx_drupal_x_frame_options }};
+    {% endif %}
 
     ## Block MIME type sniffing on IE.
     add_header X-Content-Options nosniff;