Add frame-src to browser-policy-content.

meteor · Jan 12, 2014 · 189845f · 189845f
1 parent f899414
commit 189845f
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/docs/client/packages/browser-policy.html b/docs/client/packages/browser-policy.html
@@ -111,7 +111,7 @@
 
 Finally, you can configure a whitelist of allowed requests that various types of
 content can make. The following functions are defined for the content types
-script, object, image, media, font, and connect.
+script, object, image, media, font, frame, and connect.
 
 <dl class="callbacks">
 {{#dtdd "BrowserPolicy.content.allow&lt;ContentType&gt;Origin(origin)"}}
@@ -162,6 +162,12 @@
 `https://example.com`.
 * `BrowserPolicy.content.allowConnectOrigin("https://example.com")` allows XMLHttpRequest
 and WebSocket connections to `https://example.com`.
+* `BrowserPolicy.content.allowFrameOrigin("https://example.com")` allows
+your site to load the origin `https://example.com` in a frame or
+iframe. The `BrowserPolicy.framing` API allows you to control which
+sites can frame your site, while
+`BrowserPolicy.content.allowFrameOrigin` allows you to control which
+sites can be loaded inside frames on your site.
 
 
 {{/better_markdown}}

diff --git a/packages/browser-policy-content/browser-policy-content.js b/packages/browser-policy-content/browser-policy-content.js
@@ -227,7 +227,7 @@ _.extend(BrowserPolicy.content, {
 // allow<Resource>Origin, allow<Resource>Data, allow<Resource>self, and
 // disallow<Resource> methods for each type of resource.
 _.each(["script", "object", "img", "media",
-        "font", "connect", "style"],
+        "font", "connect", "style", "frame"],
        function (resource) {
          var directive = resource + "-src";
          var methodResource;

diff --git a/packages/browser-policy/browser-policy-test.js b/packages/browser-policy/browser-policy-test.js
@@ -129,12 +129,12 @@ Tinytest.add("browser-policy - csp", function (test) {
 
   // Check that trailing slashes are trimmed from origins.
   BrowserPolicy.content.disallowAll();
-  BrowserPolicy.content.allowScriptOrigin("https://foo.com/");
+  BrowserPolicy.content.allowFrameOrigin("https://foo.com/");
   test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
-                        "default-src 'none'; script-src https://foo.com;"));
+                        "default-src 'none'; frame-src https://foo.com;"));
   BrowserPolicy.content.allowObjectOrigin("foo.com//");
   test.isTrue(cspsEqual(BrowserPolicy.content._constructCsp(),
-                        "default-src 'none'; script-src https://foo.com; " +
+                        "default-src 'none'; frame-src https://foo.com; " +
                         "object-src http://foo.com https://foo.com;"));
 });