From 79e3fcc1093a5727cc26e95d69dfd037718978ad Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Fri, 11 Jan 2019 17:03:29 +0100
Subject: [PATCH] NEW Add constant XFRAMEOPTIONS_ALLOWALL

---
 htdocs/main.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php
index fcc416b9858..c9115077dd0 100644
--- a/htdocs/main.inc.php
+++ b/htdocs/main.inc.php
@@ -1115,7 +1115,8 @@ function top_httphead($contenttype='text/html', $forcenocache=0)
 	else header("Content-Type: ".$contenttype);
 	// Security options
 	header("X-Content-Type-Options: nosniff");  // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
-	header("X-Frame-Options: SAMEORIGIN");      // Frames allowed only if on same domain (stop some XSS attacks)
+	if (! defined('XFRAMEOPTIONS_ALLOWALL')) header("X-Frame-Options: SAMEORIGIN");      // Frames allowed only if on same domain (stop some XSS attacks)
+	else header("X-Frame-Options: ALLOWALL");
 	//header("X-XSS-Protection: 1");      		// XSS protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
 	if (! defined('FORCECSP'))
 	{