From f7084a4339e2667f644cffcfea61cc3c69521bec Mon Sep 17 00:00:00 2001 From: Vinoth Kannan Date: Fri, 6 Dec 2019 03:15:09 +0530 Subject: [PATCH] FEATURE: add site setting to remove `X-Frame-Options` header. --- config/initializers/011-rack-protection.rb | 2 +- config/locales/server.en.yml | 1 + config/site_settings.yml | 2 ++ lib/middleware/frame_options.rb | 15 +++++++++++++++ spec/requests/application_controller_spec.rb | 14 ++++++++++++++ 5 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 lib/middleware/frame_options.rb diff --git a/config/initializers/011-rack-protection.rb b/config/initializers/011-rack-protection.rb index 72bda38b072..1b740d1c534 100644 --- a/config/initializers/011-rack-protection.rb +++ b/config/initializers/011-rack-protection.rb @@ -2,4 +2,4 @@ require 'rack/protection' -Rails.configuration.middleware.use Rack::Protection::FrameOptions +Rails.configuration.middleware.use Middleware::FrameOptions diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index 1a89507cd53..8792b061e29 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1517,6 +1517,7 @@ en: content_security_policy_collect_reports: "Enable CSP violation report collection at /csp_reports" content_security_policy_script_src: "Additional whitelisted script sources. The current host and CDN are included by default. See Mitigate XSS Attacks with Content Security Policy." invalidate_inactive_admin_email_after_days: "Admin accounts that have not visited the site in this number of days will need to re-validate their email address before logging in. Set to 0 to disable." + allow_embedding_site_in_an_iframe: "Enable embedding of the site in iframes." top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks" post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply" post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on." diff --git a/config/site_settings.yml b/config/site_settings.yml index b4ef1349cb7..698bad76119 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -1402,6 +1402,8 @@ security: default: 365 min: 0 max: 2000 + allow_embedding_site_in_an_iframe: + default: false onebox: enable_flash_video_onebox: false diff --git a/lib/middleware/frame_options.rb b/lib/middleware/frame_options.rb new file mode 100644 index 00000000000..baceaeb6640 --- /dev/null +++ b/lib/middleware/frame_options.rb @@ -0,0 +1,15 @@ +# frozen_string_literal: true + +module Middleware + class FrameOptions + def initialize(app, settings = {}) + @app = app + end + + def call(env) + status, headers, body = @app.call(env) + headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe + [status, headers, body] + end + end +end diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb index 00ac570a1ae..a2aa723434e 100644 --- a/spec/requests/application_controller_spec.rb +++ b/spec/requests/application_controller_spec.rb @@ -433,6 +433,20 @@ RSpec.describe ApplicationController do end end + describe 'allow_embedding_site_in_an_iframe' do + + it "should have the 'X-Frame-Options' header with value 'sameorigin'" do + get("/latest") + expect(response.headers['X-Frame-Options']).to eq("SAMEORIGIN") + end + + it "should not include the 'X-Frame-Options' header" do + SiteSetting.allow_embedding_site_in_an_iframe = true + get("/latest") + expect(response.headers).not_to include('X-Frame-Options') + end + end + describe 'Delegated auth' do let :public_key do <<~TXT