Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for frame-ancestors CSP option in browser-policy #7970

Merged
merged 2 commits into from Nov 29, 2016

Conversation

@moberegger
Copy link

@moberegger moberegger commented Oct 26, 2016

This Pull Request adds support for for the frame-ancestors CSP option in the browser-policy package. Right now, there is no easy way to allow and/or restrict specific domains from framing your app. Using the X-Frame-Options header has the following problems:

  • You are only allowed to restrict all domains, only allow same domain, or only allow one other domain. So, if you need to allow multiple domains to frame your app, you can't.
  • The X-Frame-Options header does not work in Chrome or Safari. So even if you want to allow another domain to frame your app, you can't guarantee that it will work in those browsers.

As a result of the above, to allow other domains to frame your app, you have to allow all domains to frame your app.

However, there is a frame-ancestors CSP that allows you to specify which domains can frame your application. This pull request adds an API to do that.

Calling BrowserPolicy.content.allowFrameAncestorsOrigin("https://foo.com/");
 will allow foo.com to frame your application. Calling BrowserPolicy.content.disallowFrameAncestors() will forbid other domains from framing your application.

A test has been added to verify that the frame-ancestors CSP is added correctly.

There are also some documentation changes to make note of the new policy.

@zol
Copy link
Contributor

@zol zol commented Nov 29, 2016

Lgtm, I'm going to merge this, thank you.

@zol zol merged commit 251e09c into meteor:devel Nov 29, 2016
3 checks passed
3 checks passed
CLA Author has signed the Meteor CLA.
Details
ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
zol pushed a commit that referenced this pull request Nov 29, 2016
Zoltan Olah
abernix added a commit to abernix/meteor that referenced this pull request Nov 30, 2016
This reverts commit 8e22818.
abernix added a commit to abernix/meteor that referenced this pull request Nov 30, 2016
As a correction to 8e22818 which inadvertently removed 1.4 from existence.

Good catch by @mitar.  meteor@8e22818?diff=unified#commitcomment-20013960
zol added a commit that referenced this pull request Nov 30, 2016
Fix history and add history for #7970
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.