Adds ability to allow or deny being embedded based on the referrer domain

[joaomilho]

Since ALLOW-FROM doesn't work properly on Chrome (and I heard Firefox), we need to be able to allow or deny being embedded based on the referrer domain. This PR adds this ability, and this is the interface of usage:

use Rack::Protection::FrameOptions, allow_if: ->(domain){
  domain == 'google.com'
}

This would allow the page to be on an iframe on google.com, and nowhere else.

WDYT?

[joaomilho]

@ctaintor @cdambo @danevron @rauchy @tomerlevi444 @yuval-netanel

[joaomilho]

All is well! :D

[nathanstitt]

I just submitted #108 which adds allow_if to HttpOrigin for CORS. For my purposes I needed to filter on the request URL, so I pass the entire env to the proc.

Perhaps this PR should do the same? That would allow the proc's logic to be much more flexible and allow/deny the request based on more than just the domain.�

[zzak]

Closing this in favor of #108, thank you for the patch!

With that patch merged, you have access to the env (including referrer domain) which allows you to do any custom logic there in the :allow_if proc.

I'd rather have that and let people shoot their own feet, then trying to parse the HTTP_REFERER on our own. In any case, that's probably something that should be handled in a secure way which I'm not comfortable with.