From d27aa0bcae4db4baa75c9ad322832f0c11438771 Mon Sep 17 00:00:00 2001
From: Max Winterstein <MaxWinterstein@users.noreply.github.com>
Date: Fri, 7 Jun 2024 21:42:08 +0200
Subject: [PATCH] Enhancement: Allow setting 'X_FRAME_OPTIONS' via environment
 variable

---
 docs/configuration.md     | 7 +++++++
 src/paperless/settings.py | 4 +++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/docs/configuration.md b/docs/configuration.md
index f4c271ce1..b6a7ab4de 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -530,6 +530,13 @@ HTTP header/value expected by Django, eg `'["HTTP_X_FORWARDED_PROTO", "https"]'`
     Settings this value has security implications.  Read the Django documentation
     and be sure you understand its usage before setting it.
 
+#### [`PAPERLESS_X_FRAME_OPTIONS=<str>`](#PAPERLESS_X_FRAME_OPTIONS) {#PAPERLESS_X_FRAME_OPTIONS}
+
+: Configures the Django setting [X_FRAME_OPTIONS](https://docs.djangoproject.com/en/4.2/ref/settings/#x-frame-options)
+which may be needed for embedding within an iframe.
+
+    Defaults to "SAMEORIGIN".
+
 #### [`PAPERLESS_EMAIL_CERTIFICATE_LOCATION=<path>`](#PAPERLESS_EMAIL_CERTIFICATE_LOCATION) {#PAPERLESS_EMAIL_CERTIFICATE_LOCATION}
 
 : Configures an additional SSL certificate file containing a [certificate](https://docs.python.org/3/library/ssl.html#certificates)
diff --git a/src/paperless/settings.py b/src/paperless/settings.py
index c4e70f68a..930d0d5b8 100644
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -490,7 +490,9 @@ def _parse_remote_user_settings() -> str:
 HTTP_REMOTE_USER_HEADER_NAME = _parse_remote_user_settings()
 
 # X-Frame options for embedded PDF display:
-X_FRAME_OPTIONS = "ANY" if DEBUG else "SAMEORIGIN"
+X_FRAME_OPTIONS = (
+    "ANY" if DEBUG else os.getenv("PAPERLESS_X_FRAME_OPTIONS", "SAMEORIGIN")
+)
 
 
 # The next 3 settings can also be set using just PAPERLESS_URL