Remove X-Frame-Options header

This header is largely deprecated, and is functionally replaced here by use of the frame-ancestors CSP configuration
2026-02-08 22:56:06 +00:00 · 2021-12-25 01:46:44 +00:00
parent ce9b64a848
commit 05abb63036
3 changed files with 5 additions and 12 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -37,7 +37,6 @@ class ApplicationController < ActionController::Base
  include Spree::Core::ControllerHelpers::RespondWith
  include Spree::Core::ControllerHelpers::Common

-  prepend_before_action :restrict_iframes
  before_action :set_cache_headers # prevent cart emptying via cache when using back button #1213

  include RawParams
@@ -107,11 +106,6 @@ class ApplicationController < ActionController::Base
    session[:shopfront_redirect]
  end

-  def restrict_iframes
-    response.headers['X-Frame-Options'] = 'DENY'
-    response.headers['Content-Security-Policy'] = "frame-ancestors 'none'"
-  end
-
  def enable_embedded_shopfront
    embed_service = EmbeddedPageService.new(params, session, request, response)
    embed_service.embed!
--- a/config/application.rb
+++ b/config/application.rb
@@ -204,6 +204,9 @@ module Openfoodnetwork
    # Version of your assets, change this if you want to expire all your assets
    config.assets.version = '1.2'

+    # Unset X-Frame-Options header for embedded pages.
+    config.action_dispatch.default_headers.except! "X-Frame-Options"
+
    # css and js files other than application.* are not precompiled by default
    # Instead, they must be explicitly included below
    # http://stackoverflow.com/questions/8012434/what-is-the-purpose-of-config-assets-precompile
--- a/spec/requests/embedded_shopfronts_headers_spec.rb
+++ b/spec/requests/embedded_shopfronts_headers_spec.rb
@@ -20,7 +20,7 @@ describe "setting response headers for embedded shopfronts", type: :request do
    it "disables iframes by default" do
      get shops_path
      expect(response.status).to be 200
-      expect(response.headers['X-Frame-Options']).to eq 'DENY'
+      expect(response.headers['X-Frame-Options']).to be_nil
      expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
    end
  end
@@ -38,7 +38,6 @@ describe "setting response headers for embedded shopfronts", type: :request do
      it "disables iframes" do
        get shops_path
        expect(response.status).to be 200
-        expect(response.headers['X-Frame-Options']).to eq 'DENY'
        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
      end
    end
@@ -53,13 +52,11 @@ describe "setting response headers for embedded shopfronts", type: :request do
        get enterprise_shop_path(enterprise) + '?embedded_shopfront=true'

        expect(response.status).to be 200
-        expect(response.headers['X-Frame-Options']).to be_nil
-        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'self' external-site.com"
+        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors external-site.com"

        get spree.admin_dashboard_path

        expect(response.status).to be 200
-        expect(response.headers['X-Frame-Options']).to eq 'DENY'
        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
      end
    end
@@ -74,7 +71,6 @@ describe "setting response headers for embedded shopfronts", type: :request do
        get enterprise_shop_path(enterprise) + '?embedded_shopfront=true'

        expect(response.status).to be 200
-        expect(response.headers['X-Frame-Options']).to be_nil
        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'self' www.external-site.com"
      end
    end