From 0eb4c7f7bad4e176bb08a91c6d8d9ae4e977c75a Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <visible_souls@hotmail.com>
Date: Sat, 27 May 2017 11:25:25 +0100
Subject: [PATCH] Require https for embedding sites

---
 app/controllers/application_controller.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index 2ec49a4880..3b7673bdca 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -52,6 +52,7 @@ class ApplicationController < ActionController::Base
   def enable_embedded_shopfront
     whitelist = Spree::Config[:embedded_shopfronts_whitelist]
     return unless Spree::Config[:enable_embedded_shopfronts] and whitelist.present?
+    return if (request.referer and URI(request.referer).scheme != 'https' and !Rails.env.test?)
 
     response.headers.delete 'X-Frame-Options'
     response.headers['Content-Security-Policy'] = "frame-ancestors #{whitelist}"