Enable iframes for embedded shopfronts

2026-01-24 20:36:49 +00:00 · 2017-05-03 13:38:02 +01:00
parent b1452f097d
commit 113f6565be
17 changed files with 122 additions and 0 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -3,6 +3,8 @@ require 'open_food_network/referer_parser'
 class ApplicationController < ActionController::Base
  protect_from_forgery

+  prepend_before_filter :restrict_iframes
+
  include EnterprisesHelper
  helper CssSplitter::ApplicationHelper

@@ -20,6 +22,21 @@ class ApplicationController < ActionController::Base

  private

+  def restrict_iframes
+    response.headers['X-Frame-Options'] = 'DENY'
+    response.headers['Content-Security-Policy'] = "frame-ancestors 'none'"
+  end
+
+  def enable_embedded_shopfront
+    return unless Spree::Config[:enable_embedded_shopfronts]
+
+    @session_data = session
+
+    whitelist = Spree::Config[:embedded_shopfronts_whitelist] || "'none'"
+    response.headers.delete 'X-Frame-Options'
+    response.headers['Content-Security-Policy'] = "frame-ancestors #{whitelist}"
+  end
+
  def action
    params[:action].to_sym
  end
--- a/app/controllers/checkout_controller.rb
+++ b/app/controllers/checkout_controller.rb
@@ -9,6 +9,7 @@ class CheckoutController < Spree::CheckoutController
  prepend_before_filter :require_distributor_chosen

  skip_before_filter :check_registration
+  before_filter :enable_embedded_shopfront

  include OrderCyclesHelper
  include EnterprisesHelper
--- a/app/controllers/enterprises_controller.rb
+++ b/app/controllers/enterprises_controller.rb
@@ -10,6 +10,7 @@ class EnterprisesController < BaseController
  before_filter :check_stock_levels, only: :shop

  before_filter :clean_permalink, only: :check_permalink
+  before_filter :enable_embedded_shopfront

  respond_to :js, only: :permalink_checker

--- a/app/controllers/home_controller.rb
+++ b/app/controllers/home_controller.rb
@@ -1,6 +1,8 @@
 class HomeController < BaseController
  layout 'darkswarm'

+  before_filter :enable_embedded_shopfront
+
  def index
    if ContentConfig.home_show_stats
      @num_distributors = Enterprise.is_distributor.activated.visible.count
--- a/app/controllers/producers_controller.rb
+++ b/app/controllers/producers_controller.rb
@@ -1,6 +1,8 @@
 class ProducersController < BaseController
  layout 'darkswarm'

+  before_filter :enable_embedded_shopfront
+
  def index
  end
 end
--- a/app/controllers/shop_controller.rb
+++ b/app/controllers/shop_controller.rb
@@ -4,6 +4,7 @@ class ShopController < BaseController
  layout "darkswarm"
  before_filter :require_distributor_chosen
  before_filter :set_order_cycles
+  before_filter :enable_embedded_shopfront

  def show
    redirect_to main_app.enterprise_shop_path(current_distributor)
--- a/app/controllers/shops_controller.rb
+++ b/app/controllers/shops_controller.rb
@@ -1,6 +1,9 @@
 class ShopsController < BaseController
  layout 'darkswarm'

+  before_filter :enable_embedded_shopfront
+
  def index
+    #@embeddable = "test"
  end
 end
--- a/app/controllers/spree/checkout_controller_decorator.rb
+++ b/app/controllers/spree/checkout_controller_decorator.rb
@@ -4,6 +4,8 @@ Spree::CheckoutController.class_eval do

  include CheckoutHelper

+  before_filter :enable_embedded_shopfront
+
  def edit
    flash.keep
    redirect_to main_app.checkout_path
--- a/app/controllers/spree/orders_controller_decorator.rb
+++ b/app/controllers/spree/orders_controller_decorator.rb
@@ -4,6 +4,7 @@ Spree::OrdersController.class_eval do
  after_filter  :populate_variant_attributes, only: :populate
  before_filter :update_distribution, only: :update
  before_filter :filter_order_params, only: :update
+  before_filter :enable_embedded_shopfront

  prepend_before_filter :require_order_cycle, only: :edit
  prepend_before_filter :require_distributor_chosen, only: :edit
--- a/app/controllers/spree/paypal_controller_decorator.rb
+++ b/app/controllers/spree/paypal_controller_decorator.rb
@@ -2,6 +2,7 @@ Spree::PaypalController.class_eval do
  include CheckoutHelper

  after_filter :reset_order_when_complete, only: :confirm
+  before_filter :enable_embedded_shopfront

  def cancel
    flash[:notice] = t('flash.cancel', :scope => 'paypal')
--- a/app/controllers/spree/users_controller_decorator.rb
+++ b/app/controllers/spree/users_controller_decorator.rb
@@ -1,3 +1,5 @@
 Spree::UsersController.class_eval do
  layout 'darkswarm'
+
+  before_filter :enable_embedded_shopfront
 end
--- a/app/models/spree/app_configuration_decorator.rb
+++ b/app/models/spree/app_configuration_decorator.rb
@@ -4,6 +4,10 @@ Spree::AppConfiguration.class_eval do
  # we can allow to be modified in the UI by adding appropriate form
  # elements to existing or new configuration pages.

+  # Embedded Shopfronts
+  preference :enable_embedded_shopfronts, :boolean, default: false
+  preference :embedded_shopfronts_whitelist, :text, default: nil
+
  # Terms of Service Preferences
  preference :enterprises_require_tos, :boolean, default: false

--- a/app/overrides/spree/admin/general_settings/edit/embedded_shopfront_settings.html.haml.deface
+++ b/app/overrides/spree/admin/general_settings/edit/embedded_shopfront_settings.html.haml.deface
@@ -0,0 +1,11 @@
+/ insert_after "fieldset.security"
+
+%fieldset.embedded_shopfronts.no-border-bottom
+  %legend{:align => "center"}= t('admin.shopfront_settings.embedded_shopfront_settings')
+  .field
+    = preference_field_tag(:enable_embedded_shopfronts, Spree::Config[:enable_embedded_shopfronts], type: Spree::Config.preference_type(:enable_embedded_shopfronts))
+    = label_tag(:enable_embedded_shopfronts, t('admin.shopfront_settings.enable_embedded_shopfronts')) + tag(:br)
+  .field
+    = label_tag(:embedded_shopfronts_whitelist, t('admin.shopfront_settings.embedded_shopfronts_whitelist')) + tag(:br)
+    = preference_field_tag(:embedded_shopfronts_whitelist, Spree::Config[:embedded_shopfronts_whitelist], type: Spree::Config.preference_type(:embedded_shopfronts_whitelist))
+
--- a/config/locales/en-GB.yml
+++ b/config/locales/en-GB.yml
@@ -97,6 +97,10 @@ en-GB:
        update_user_invoice_explained: "Use this button to immediately update invoices for the month to date for each enterprise user in the system. This task can be set up to run automatically every night."
        auto_finalise_invoices: "Auto-finalise invoices monthly on the 2nd at 1:30am"
        auto_update_invoices: "Auto-update invoices nightly at 1:00am"
+    shopfront_settings:
+      embedded_shopfront_settings: Embedded Shopfront Settings
+      enable_embedded_shopfronts: Enable Embedded Shopfronts
+      embedded_shopfronts_whitelist: External Domains Whitelist
    business_model_configuration:
      edit:
        business_model_configuration: "Business Model"
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -229,6 +229,11 @@ en:
        default_payment_method: must be set if you wish to create invoices for enterprise users.
        default_shipping_method: must be set if you wish to create invoices for enterprise users.

+    shopfront_settings:
+      embedded_shopfront_settings: Embedded Shopfront Settings
+      enable_embedded_shopfronts: Enable Embedded Shopfronts
+      embedded_shopfronts_whitelist: External Domains Whitelist
+
    business_model_configuration:
      edit:
        business_model_configuration: "Business Model"
--- a/spec/dummy/iframe_test.html
+++ b/spec/dummy/iframe_test.html
@@ -0,0 +1,10 @@
+<html>
+<head></head>
+<body>
+
+<p>Iframe Test</p>
+
+<iframe src="http://test.com/shops" name="test_iframe" id="test_iframe" style="width:100%;min-height:30em"></iframe>
+
+</body>
+</html>
--- a/spec/features/consumer/shopping/embedded_shopfronts_spec.rb
+++ b/spec/features/consumer/shopping/embedded_shopfronts_spec.rb
@@ -0,0 +1,55 @@
+require 'spec_helper'
+
+feature "Using embedded shopfront functionality", js: true do
+  include AuthenticationWorkflow
+  include WebHelper
+
+  describe "enabling embedded shopfronts" do
+    before do
+      Spree::Config[:enable_embedded_shopfronts] = false
+    end
+
+    it "disables iframes by default" do
+      visit shops_path
+      expect(page.response_headers['X-Frame-Options']).to eq 'DENY'
+      expect(page.response_headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
+    end
+
+    it "allows iframes on certain pages when enabled in configuration" do
+      quick_login_as_admin
+
+      visit spree.edit_admin_general_settings_path
+
+      check 'enable_embedded_shopfronts'
+      fill_in 'embedded_shopfronts_whitelist', with: "test.com"
+
+      click_button 'Update'
+
+      visit shops_path
+      expect(page.response_headers['X-Frame-Options']).to be_nil
+      expect(page.response_headers['Content-Security-Policy']).to eq "frame-ancestors test.com"
+    end
+  end
+
+  describe "using iframes", js: true do
+    before do
+      Spree::Config[:enable_embedded_shopfronts] = true
+    end
+
+    after do
+      Spree::Config[:enable_embedded_shopfronts] = false
+    end
+
+    pending "displays iframe content" do
+      Capybara.current_session.driver.visit('spec/dummy/iframe_test.html')
+
+      expect(page).to have_text 'Iframe Test'
+      expect(page).to have_selector 'iframe#test_iframe'
+
+      within_frame 'test_iframe' do
+        sleep 1
+        expect(page).to have_content "OFN" # currently fails...
+      end
+    end
+  end
+end