N°3416 XFrame-Options header is now set using a config parameter, defaults to SAMEORIGIN

Also adds an indirection (\WebPage::add_xframe_options) to set header

pages/ajax.document.php

@@ -62,9 +62,10 @@ try
 				ormDocument::DownloadDocument($oPage, $sClass, $id, $sField, 'attachment');
 				if ($iCacheSec > 0)
 				{
-					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
 					$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 					$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+					$oPage->add_header("Expires: "); // Reset the value set in ajax_page
+					$oPage->add_xframe_options('');
 					$oPage->add_header("Last-Modified: Wed, 15 Jun 2015 13:21:15 GMT"); // An arbitrary date in the past is ok
 				}
 			}
@@ -76,12 +77,12 @@ try
 			$id = utils::ReadParam('id', '');
 			$sSecret = utils::ReadParam('s', '');
 			$iCacheSec = 31556926; // One year ahead: an inline image cannot change
-			if (!empty($id) && !empty($sSecret))
-			{
+			if (!empty($id) && !empty($sSecret)) {
 				ormDocument::DownloadDocument($oPage, 'InlineImage', $id, 'contents', 'inline', 'secret', $sSecret);
-				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
 				$oPage->add_header("Cache-Control: no-transform,public,max-age=$iCacheSec,s-maxage=$iCacheSec");
 				$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+				$oPage->add_header("Expires: "); // Reset the value set in ajax_page
+				$oPage->add_xframe_options('');
 				$oPage->add_header("Last-Modified: Wed, 15 Jun 2016 13:21:15 GMT"); // An arbitrary date in the past is ok
 			}
 			break;
@@ -92,6 +93,7 @@ try
 			$oPage->SetContentType('text/javascript');
 			$oPage->add_header('Cache-control: public, max-age=86400'); // Cache for 24 hours
 			$oPage->add_header("Pragma: cache"); // Reset the value set .... where ?
+			$oPage->add_xframe_options('');
 			$oPage->add(file_get_contents(Utils::GetCachePath().$sSignature.'.js'));
 			break;