Permalink
Browse files

Add frame-src to browser-policy-content.

  • Loading branch information...
1 parent f899414 commit 189845f1fba51d291484efeff9a99944380adba1 Emily Stark committed Jan 12, 2014
@@ -111,7 +111,7 @@
Finally, you can configure a whitelist of allowed requests that various types of
content can make. The following functions are defined for the content types
-script, object, image, media, font, and connect.
+script, object, image, media, font, frame, and connect.
<dl class="callbacks">
{{#dtdd "BrowserPolicy.content.allow&lt;ContentType&gt;Origin(origin)"}}
@@ -162,6 +162,12 @@
`https://example.com`.
* `BrowserPolicy.content.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
and WebSocket connections to `https://example.com`.
+* `BrowserPolicy.content.allowFrameOrigin("https://example.com")` allows
+your site to load the origin `https://example.com` in a frame or
+iframe. The `BrowserPolicy.framing` API allows you to control which
+sites can frame your site, while
+`BrowserPolicy.content.allowFrameOrigin` allows you to control which
+sites can be loaded inside frames on your site.
{{/better_markdown}}
@@ -227,7 +227,7 @@ _.extend(BrowserPolicy.content, {
// allow<Resource>Origin, allow<Resource>Data, allow<Resource>self, and
// disallow<Resource> methods for each type of resource.
_.each(["script", "object", "img", "media",
- "font", "connect", "style"],
+ "font", "connect", "style", "frame"],
function (resource) {
var directive = resource + "-src";
var methodResource;
@@ -129,12 +129,12 @@ Tinytest.add("browser-policy - csp", function (test) {
// Check that trailing slashes are trimmed from origins.
BrowserPolicy.content.disallowAll();
- BrowserPolicy.content.allowScriptOrigin("https://foo.com/");
+ BrowserPolicy.content.allowFrameOrigin("https://foo.com/");
test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
- "default-src 'none'; script-src https://foo.com;"));
+ "default-src 'none'; frame-src https://foo.com;"));
BrowserPolicy.content.allowObjectOrigin("foo.com//");
test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
- "default-src 'none'; script-src https://foo.com; " +
+ "default-src 'none'; frame-src https://foo.com; " +
"object-src http://foo.com https://foo.com;"));
});

0 comments on commit 189845f

Please sign in to comment.