IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FEATURE: add site setting to remove X-Frame-Options header.

Browse Source
This commit is contained in:
Vinoth Kannan
2019-12-06 03:15:09 +05:30
parent 00985559e4
commit f7084a4339
5 changed files with 33 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
config/initializers/011-rack-protection.rb
View File

@@ -2,4 +2,4 @@
require 'rack/protection' require 'rack/protection'
Rails.configuration.middleware.use Rack::Protection::FrameOptions Rails.configuration.middleware.use Middleware::FrameOptions

1
config/locales/server.en.yml
View File

@@ -1517,6 +1517,7 @@ en:
content_security_policy_collect_reports: "Enable CSP violation report collection at /csp_reports" content_security_policy_collect_reports: "Enable CSP violation report collection at /csp_reports"
content_security_policy_script_src: "Additional whitelisted script sources. The current host and CDN are included by default. See <a href='https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243' target='_blank'>Mitigate XSS Attacks with Content Security Policy.</a>" content_security_policy_script_src: "Additional whitelisted script sources. The current host and CDN are included by default. See <a href='https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243' target='_blank'>Mitigate XSS Attacks with Content Security Policy.</a>"
invalidate_inactive_admin_email_after_days: "Admin accounts that have not visited the site in this number of days will need to re-validate their email address before logging in. Set to 0 to disable." invalidate_inactive_admin_email_after_days: "Admin accounts that have not visited the site in this number of days will need to re-validate their email address before logging in. Set to 0 to disable."
allow_embedding_site_in_an_iframe: "Enable embedding of the site in iframes."
top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks" top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply" post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on." post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."

2
config/site_settings.yml
View File

@@ -1402,6 +1402,8 @@ security:
default: 365 default: 365
min: 0 min: 0
max: 2000 max: 2000
allow_embedding_site_in_an_iframe:
default: false
onebox: onebox:
enable_flash_video_onebox: false enable_flash_video_onebox: false

15
lib/middleware/frame_options.rb Normal file
View File

@@ -0,0 +1,15 @@
# frozen_string_literal: true
module Middleware
class FrameOptions
def initialize(app, settings = {})
@app = app
end
def call(env)
status, headers, body = @app.call(env)
headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe
[status, headers, body]
end
end
end

14
spec/requests/application_controller_spec.rb
View File

@@ -433,6 +433,20 @@ RSpec.describe ApplicationController do
end end
end end
describe 'allow_embedding_site_in_an_iframe' do
it "should have the 'X-Frame-Options' header with value 'sameorigin'" do
get("/latest")
expect(response.headers['X-Frame-Options']).to eq("SAMEORIGIN")
end
it "should not include the 'X-Frame-Options' header" do
SiteSetting.allow_embedding_site_in_an_iframe = true
get("/latest")
expect(response.headers).not_to include('X-Frame-Options')
end
end
describe 'Delegated auth' do describe 'Delegated auth' do
let :public_key do let :public_key do
<<~TXT <<~TXT