raggedstaff/openfoodnetwork
1
0
Fork 0
mirror of https://github.com/openfoodfoundation/openfoodnetwork synced 2026-01-24 20:36:49 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ensure domain in SSL header matches request with or without www prefix

Browse Source
This commit is contained in:
Matt-Yorkley
2018-05-21 17:50:34 +01:00
parent d218a51d96
commit c2934d3570
2 changed files with 17 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/controllers/application_controller.rb
View File

@@ -60,7 +60,7 @@ class ApplicationController < ActionController::Base
return if embedding_without_https?
response.headers.delete 'X-Frame-Options'
response.headers['Content-Security-Policy'] = "frame-ancestors #{embedded_shopfront_referer}"
response.headers['Content-Security-Policy'] = "frame-ancestors #{URI(request.referer).host.downcase}"
check_embedded_request
set_embedded_layout

17
spec/requests/embedded_shopfronts_headers_spec.rb
View File

@@ -44,7 +44,7 @@ describe "setting response headers for embedded shopfronts", type: :request do
context "with a valid whitelist" do
before do
Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://external-site.com/shop?embedded_shopfront=true')
end
it "allows iframes on certain pages when enabled in configuration" do
@@ -61,5 +61,20 @@ describe "setting response headers for embedded shopfronts", type: :request do
expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
end
end
context "with www prefix" do
before do
Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
end
it "matches the URL structure in the header" do
get shops_path
expect(response.status).to be 200
expect(response.headers['X-Frame-Options']).to be_nil
expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors www.external-site.com"
end
end
end
end