From c2934d35705eb9c5a0d0175b2c3fcec3b324c809 Mon Sep 17 00:00:00 2001
From: Matt-Yorkley <visible_souls@hotmail.com>
Date: Mon, 21 May 2018 17:50:34 +0100
Subject: [PATCH] Ensure domain in SSL header matches request with or without
 www prefix

---
 app/controllers/application_controller.rb       |  2 +-
 .../embedded_shopfronts_headers_spec.rb         | 17 ++++++++++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index a4bdc88b8f..d22e8a6ba4 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -60,7 +60,7 @@ class ApplicationController < ActionController::Base
     return if embedding_without_https?
 
     response.headers.delete 'X-Frame-Options'
-    response.headers['Content-Security-Policy'] = "frame-ancestors #{embedded_shopfront_referer}"
+    response.headers['Content-Security-Policy'] = "frame-ancestors #{URI(request.referer).host.downcase}"
 
     check_embedded_request
     set_embedded_layout
diff --git a/spec/requests/embedded_shopfronts_headers_spec.rb b/spec/requests/embedded_shopfronts_headers_spec.rb
index 8056946f23..9d2c1c523e 100644
--- a/spec/requests/embedded_shopfronts_headers_spec.rb
+++ b/spec/requests/embedded_shopfronts_headers_spec.rb
@@ -44,7 +44,7 @@ describe "setting response headers for embedded shopfronts", type: :request do
     context "with a valid whitelist" do
       before do
         Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
-        allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
+        allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://external-site.com/shop?embedded_shopfront=true')
       end
 
       it "allows iframes on certain pages when enabled in configuration" do
@@ -61,5 +61,20 @@ describe "setting response headers for embedded shopfronts", type: :request do
         expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
       end
     end
+
+    context "with www prefix" do
+      before do
+        Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
+        allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
+      end
+
+      it "matches the URL structure in the header" do
+        get shops_path
+
+        expect(response.status).to be 200
+        expect(response.headers['X-Frame-Options']).to be_nil
+        expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors www.external-site.com"
+      end
+    end
   end
 end