From e173f823c8a6b086e1aec083b6cf6191d4142d5d Mon Sep 17 00:00:00 2001 From: Matt-Yorkley Date: Fri, 5 Jan 2018 21:34:26 +0000 Subject: [PATCH] Refactor embedded logic --- app/controllers/application_controller.rb | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 7a64aa1776..8501e6743b 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -55,13 +55,11 @@ class ApplicationController < ActionController::Base end def enable_embedded_shopfront - whitelist = Spree::Config[:embedded_shopfronts_whitelist] - domain = embedded_shopfront_referer - return unless Spree::Config[:enable_embedded_shopfronts] && whitelist.present? && domain.present? && whitelist.include?(domain) - return if request.referer && URI(request.referer).scheme != 'https' && !Rails.env.test? && !Rails.env.development? + return unless embeddable? + return if embedding_without_https? response.headers.delete 'X-Frame-Options' - response.headers['Content-Security-Policy'] = "frame-ancestors #{domain}" + response.headers['Content-Security-Policy'] = "frame-ancestors #{embedded_shopfront_referer}" check_embedded_request set_embedded_layout @@ -72,6 +70,16 @@ class ApplicationController < ActionController::Base URI(request.referer).host.sub!(/^www./, '') end + def embeddable? + whitelist = Spree::Config[:embedded_shopfronts_whitelist] + domain = embedded_shopfront_referer + Spree::Config[:enable_embedded_shopfronts] && whitelist.present? && domain.present? && whitelist.include?(domain) + end + + def embedding_without_https? + request.referer && URI(request.referer).scheme != 'https' && !Rails.env.test? && !Rails.env.development? + end + def check_embedded_request return unless params[:embedded_shopfront]