From 8d6ce78c655e9a5d0bbf57f2cbf92b594473ca90 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig@posteo.de>
Date: Fri, 10 Dec 2021 07:09:42 +0100
Subject: [PATCH 1/3] Allow qr code iframe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Christian König <ckoenig@posteo.de>
---
 advanced/lighttpd.conf.debian | 5 +++++
 advanced/lighttpd.conf.fedora | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/advanced/lighttpd.conf.debian b/advanced/lighttpd.conf.debian
index a58b5a88..8966dc32 100644
--- a/advanced/lighttpd.conf.debian
+++ b/advanced/lighttpd.conf.debian
@@ -92,5 +92,10 @@ $HTTP["url"] =~ "/teleporter\.php$" {
     }
 }
 
+# allow API qr code iframe on settings page
+$HTTP["url"] =~ "/admin/settings\.php$" {
+    setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+}
+
 # Default expire header
 expire.url = ( "" => "access plus 0 seconds" )
diff --git a/advanced/lighttpd.conf.fedora b/advanced/lighttpd.conf.fedora
index ad336a93..6bf9e683 100644
--- a/advanced/lighttpd.conf.fedora
+++ b/advanced/lighttpd.conf.fedora
@@ -100,5 +100,10 @@ $HTTP["url"] =~ "/teleporter\.php$" {
     }
 }
 
+# allow API qr code iframe on settings page
+$HTTP["url"] =~ "/admin/settings\.php$" {
+    setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+}
+
 # Default expire header
 expire.url = ( "" => "access plus 0 seconds" )

From 2eff53b2bbc19f899f206ccaf1cbf3d6acb6f57b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig@posteo.de>
Date: Fri, 10 Dec 2021 07:17:13 +0100
Subject: [PATCH 2/3] Allow qr code iframe
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Christian König <ckoenig@posteo.de>
---
 advanced/lighttpd.conf.debian | 6 ++++--
 advanced/lighttpd.conf.fedora | 6 ++++--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/advanced/lighttpd.conf.debian b/advanced/lighttpd.conf.debian
index 8966dc32..37099ad7 100644
--- a/advanced/lighttpd.conf.debian
+++ b/advanced/lighttpd.conf.debian
@@ -93,8 +93,10 @@ $HTTP["url"] =~ "/teleporter\.php$" {
 }
 
 # allow API qr code iframe on settings page
-$HTTP["url"] =~ "/admin/settings\.php$" {
-    setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+$HTTP["url"] =~ "/api_token\.php$" {
+    $HTTP["referer"] =~ "/admin/settings\.php" {
+        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+    }
 }
 
 # Default expire header
diff --git a/advanced/lighttpd.conf.fedora b/advanced/lighttpd.conf.fedora
index 6bf9e683..f4916422 100644
--- a/advanced/lighttpd.conf.fedora
+++ b/advanced/lighttpd.conf.fedora
@@ -101,8 +101,10 @@ $HTTP["url"] =~ "/teleporter\.php$" {
 }
 
 # allow API qr code iframe on settings page
-$HTTP["url"] =~ "/admin/settings\.php$" {
-    setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+$HTTP["url"] =~ "/api_token\.php$" {
+    $HTTP["referer"] =~ "/admin/settings\.php" {
+        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
+    }
 }
 
 # Default expire header

From 28085cf7d8386608470d66ec59d3947b34c7970f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20K=C3=B6nig?= <ckoenig@posteo.de>
Date: Fri, 17 Dec 2021 10:08:16 +0100
Subject: [PATCH 3/3] Merge iFrame exceptions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Christian König <ckoenig@posteo.de>
---
 advanced/lighttpd.conf.debian | 11 ++---------
 advanced/lighttpd.conf.fedora | 11 ++---------
 2 files changed, 4 insertions(+), 18 deletions(-)

diff --git a/advanced/lighttpd.conf.debian b/advanced/lighttpd.conf.debian
index 37099ad7..cf728e19 100644
--- a/advanced/lighttpd.conf.debian
+++ b/advanced/lighttpd.conf.debian
@@ -85,15 +85,8 @@ $HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
 }
 
-# allow teleporter iframe on settings page
-$HTTP["url"] =~ "/teleporter\.php$" {
-    $HTTP["referer"] =~ "/admin/settings\.php" {
-        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
-    }
-}
-
-# allow API qr code iframe on settings page
-$HTTP["url"] =~ "/api_token\.php$" {
+# allow teleporter and API qr code iframe on settings page
+$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
     $HTTP["referer"] =~ "/admin/settings\.php" {
         setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
     }
diff --git a/advanced/lighttpd.conf.fedora b/advanced/lighttpd.conf.fedora
index f4916422..626a3d8d 100644
--- a/advanced/lighttpd.conf.fedora
+++ b/advanced/lighttpd.conf.fedora
@@ -93,15 +93,8 @@ $HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
 }
 
-# allow teleporter iframe on settings page
-$HTTP["url"] =~ "/teleporter\.php$" {
-    $HTTP["referer"] =~ "/admin/settings\.php" {
-        setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
-    }
-}
-
-# allow API qr code iframe on settings page
-$HTTP["url"] =~ "/api_token\.php$" {
+# allow teleporter and API qr code iframe on settings page
+$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
     $HTTP["referer"] =~ "/admin/settings\.php" {
         setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
     }