IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: Allow embedding to ignore HTTP REFERER

Browse Source 
New site setting: `embed_any_origin` that will send postMessages to
wildcard origins `*` instead of the referer.

Most of the time you won't want to do this, so the setting is default to
`false`. However, there are certain situations where you want to allow
embedding to send post messages when there is no HTTP REFERER.

For example, if you created a native mobile app and you wanted to embed a list
of Discourse topics as HTML. In the code your HTML would be a
static file/string, which would not be able to send a referer. In this
case, the site setting will allow the embed to work.

From a security standpoint we currently only use `postMessage` to send
data about the size of the HTML document and scroll position, so it
should be enable if required with minimal security ramifications.
This commit is contained in:
Robin Ward
2019-09-10 12:27:07 -04:00
parent cf23016360
commit 1cebe7670a
5 changed files with 27 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
spec/requests/embed_controller_spec.rb
View File

@@ -88,12 +88,29 @@ describe EmbedController do
it "returns a list of topics" do
topic = Fabricate(:topic)
get '/embed/topics?discourse_embed_id=de-1234', headers: headers
get '/embed/topics?discourse_embed_id=de-1234', headers: {
'REFERER' => 'https://example.com/evil-trout'
}
expect(response.status).to eq(200)
expect(response.headers['X-Frame-Options']).to eq("ALLOWALL")
expect(response.body).to match("data-embed-id=\"de-1234\"")
expect(response.body).to match("data-topic-id=\"#{topic.id}\"")
expect(response.body).to match("data-referer=\"https://example.com/evil-trout\"")
end
it "returns no referer if not supplied" do
get '/embed/topics?discourse_embed_id=de-1234'
expect(response.status).to eq(200)
expect(response.body).to match("data-referer=\"\"")
end
it "returns * for the referer if `embed_any_origin` is set" do
SiteSetting.embed_any_origin = true
get '/embed/topics?discourse_embed_id=de-1234'
expect(response.status).to eq(200)
expect(response.body).to match("data-referer=\"\\*\"")
end
end
end