FEATURE: add site setting to remove `X-Frame-Options` header.

2019-12-06 03:15:09 +05:30 · 2019-12-06 03:15:09 +05:30 · f7084a4339
parent 00985559e4
commit f7084a4339
5 changed files with 33 additions and 1 deletions
--- a/config/initializers/011-rack-protection.rb
+++ b/config/initializers/011-rack-protection.rb
@ -2,4 +2,4 @@

 require 'rack/protection'

-Rails.configuration.middleware.use Rack::Protection::FrameOptions
+Rails.configuration.middleware.use Middleware::FrameOptions
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1517,6 +1517,7 @@ en:
    content_security_policy_collect_reports: "Enable CSP violation report collection at /csp_reports"
    content_security_policy_script_src: "Additional whitelisted script sources. The current host and CDN are included by default. See <a href='https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243' target='_blank'>Mitigate XSS Attacks with Content Security Policy.</a>"
    invalidate_inactive_admin_email_after_days: "Admin accounts that have not visited the site in this number of days will need to re-validate their email address before logging in. Set to 0 to disable."
+    allow_embedding_site_in_an_iframe: "Enable embedding of the site in iframes."
    top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
    post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
    post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -1402,6 +1402,8 @@ security:
    default: 365
    min: 0
    max: 2000
+  allow_embedding_site_in_an_iframe:
+    default: false

 onebox:
  enable_flash_video_onebox: false
--- a/lib/middleware/frame_options.rb
+++ b/lib/middleware/frame_options.rb
@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Middleware
+  class FrameOptions
+    def initialize(app, settings = {})
+      @app = app
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+      headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe
+      [status, headers, body]
+    end
+  end
+end
--- a/spec/requests/application_controller_spec.rb
+++ b/spec/requests/application_controller_spec.rb
@ -433,6 +433,20 @@ RSpec.describe ApplicationController do
    end
  end

+  describe 'allow_embedding_site_in_an_iframe' do
+
+    it "should have the 'X-Frame-Options' header with value 'sameorigin'" do
+      get("/latest")
+      expect(response.headers['X-Frame-Options']).to eq("SAMEORIGIN")
+    end
+
+    it "should not include the 'X-Frame-Options' header" do
+      SiteSetting.allow_embedding_site_in_an_iframe = true
+      get("/latest")
+      expect(response.headers).not_to include('X-Frame-Options')
+    end
+  end
+
  describe 'Delegated auth' do
    let :public_key do
      <<~TXT