drupal-core-leboat-htaccess-iframe-brokers-7-98.patch

diff --git a/.htaccess b/.htaccess
index 7dd1d14c9f..354b06d41a 100644
--- a/.htaccess
+++ b/.htaccess
@@ -154,3 +154,25 @@ DirectoryIndex index.php index.html index.htm
   # Disable Proxy header, since it's an attack vector.
   RequestHeader unset Proxy
 </IfModule>
+
+# Allow iFrames for the following brokers
+<IfModule mod_headers.c>
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*atelierduvoyage\.ch/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*hausboot\.de/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*hausboot\.com/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*nautic-tours\.de/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*tui-hausboote\.com/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*vacancesfluviales\.com/" BROKER
+  SetEnvIfNoCase Referer "^http(s)?://([^\.]+\.)*tui-bootsferien\.de/" BROKER
+
+  Header set X-Frame-Options ALLOW env=BROKER
+
+  # If the referer is one of our sites, iFrames should be allowed
+  SetEnvIfNoCase Referer "^http(s)?://www\.leboat\.(at|be|ca|ch|co\.uk|co\.za|com|com\.au|de|fr|nl|es|it|se)/" SAMESITE
+  SetEnvIfNoCase Referer "^http(s)?://www\.emeraldstar\.ie/" SAMESITE
+  SetEnvIfNoCase Referer "^http(s)?://www\.leboat\.(at|be|ca|ch|co\.uk|co\.za|com|com\.au|de|fr|nl|es|it|se)\.uat\.aws\.tuimarine\.com/" SAMESITE
+  SetEnvIfNoCase Referer "^http(s)?://www\.emeraldstar\.ie\.uat\.aws\.tuimarine\.com/" SAMESITE
+  SetEnvIfNoCase Referer "^http(s)?://www\.leboat\.(at|be|ca|ch|co\.uk|co\.za|com|com\.au|de|fr|nl|es|it|se)\.qa\.aws\.tuimarine\.com/" SAMESITE
+  SetEnvIfNoCase Referer "^http(s)?://www\.emeraldstar\.ie\.qa\.aws\.tuimarine\.com/" SAMESITE
+  Header set X-Frame-Options ALLOW env=SAMESITE
+</IfModule>