FEATURE: add site setting to remove X-Frame-Options header.

discourse · Dec 5, 2019 · f7084a4 · f7084a4 · discoursebot · Dec 5, 2019
1 parent 0098555
commit f7084a4
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 1 deletion.
diff --git a/config/initializers/011-rack-protection.rb b/config/initializers/011-rack-protection.rb
@@ -2,4 +2,4 @@
 
 require 'rack/protection'
 
-Rails.configuration.middleware.use Rack::Protection::FrameOptions
+Rails.configuration.middleware.use Middleware::FrameOptions
diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml
@@ -1517,6 +1517,7 @@ en:
     content_security_policy_collect_reports: "Enable CSP violation report collection at /csp_reports"
     content_security_policy_script_src: "Additional whitelisted script sources. The current host and CDN are included by default. See <a href='https://meta.discourse.org/t/mitigate-xss-attacks-with-content-security-policy/104243' target='_blank'>Mitigate XSS Attacks with Content Security Policy.</a>"
     invalidate_inactive_admin_email_after_days: "Admin accounts that have not visited the site in this number of days will need to re-validate their email address before logging in. Set to 0 to disable."
+    allow_embedding_site_in_an_iframe: "Enable embedding of the site in iframes."
     top_menu: "Determine which items appear in the homepage navigation, and in what order. Example latest|new|unread|categories|top|read|posted|bookmarks"
     post_menu: "Determine which items appear on the post menu, and in what order. Example like|edit|flag|delete|share|bookmark|reply"
     post_menu_hidden_items: "The menu items to hide by default in the post menu unless an expansion ellipsis is clicked on."

diff --git a/config/site_settings.yml b/config/site_settings.yml
@@ -1402,6 +1402,8 @@ security:
     default: 365
     min: 0
     max: 2000
+  allow_embedding_site_in_an_iframe:
+    default: false
 
 onebox:
   enable_flash_video_onebox: false

diff --git a/lib/middleware/frame_options.rb b/lib/middleware/frame_options.rb
@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Middleware
+  class FrameOptions
+    def initialize(app, settings = {})
+      @app = app
+    end
+
+    def call(env)
+      status, headers, body = @app.call(env)
+      headers.except!('X-Frame-Options') if SiteSetting.allow_embedding_site_in_an_iframe
+      [status, headers, body]
+    end
+  end
+end
diff --git a/spec/requests/application_controller_spec.rb b/spec/requests/application_controller_spec.rb
@@ -433,6 +433,20 @@
     end
   end
 
+  describe 'allow_embedding_site_in_an_iframe' do
+
+    it "should have the 'X-Frame-Options' header with value 'sameorigin'" do
+      get("/latest")
+      expect(response.headers['X-Frame-Options']).to eq("SAMEORIGIN")
+    end
+
+    it "should not include the 'X-Frame-Options' header" do
+      SiteSetting.allow_embedding_site_in_an_iframe = true
+      get("/latest")
+      expect(response.headers).not_to include('X-Frame-Options')
+    end
+  end
+
   describe 'Delegated auth' do
     let :public_key do
       <<~TXT