diff options
| author | Rob Crittenden <rcritten@redhat.com> | 2015-04-23 16:42:27 -0400 |
|---|---|---|
| committer | Rob Crittenden <rcritten@redhat.com> | 2015-04-23 16:42:27 -0400 |
| commit | ece02452eb1b83c3e8bd9391ac89fab83160f948 (patch) | |
| tree | 9281d35f4c8500b66a73b018a1430abe939c9e71 | |
| parent | bf5398120e33ff3e88d7b3794c9437e7e75ee369 (diff) | |
| download | ipsilon.git-xframe_headers.tar.gz ipsilon.git-xframe_headers.tar.xz ipsilon.git-xframe_headers.zip | |
Disallow iframes via X-Frame-Options and CSP by defaultxframe_headers
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.
The Persona plugin relies on iframes and uses this decorator
for all endpoints.
https://fedorahosted.org/ipsilon/ticket/15
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
| -rw-r--r-- | ipsilon/providers/persona/auth.py | 5 | ||||
| -rw-r--r-- | ipsilon/util/endpoint.py | 20 |
2 files changed, 25 insertions, 0 deletions
diff --git a/ipsilon/providers/persona/auth.py b/ipsilon/providers/persona/auth.py index f713347..aedfbcf 100644 --- a/ipsilon/providers/persona/auth.py +++ b/ipsilon/providers/persona/auth.py @@ -3,6 +3,7 @@ from ipsilon.providers.common import ProviderPageBase from ipsilon.util.trans import Transaction from ipsilon.util.user import UserSession +from ipsilon.util.endpoint import allow_iframe import base64 import cherrypy @@ -80,6 +81,7 @@ class Sign(AuthenticateRequest): return True return False + @allow_iframe def POST(self, *args, **kwargs): if 'email' not in kwargs or 'publicKey' not in kwargs \ or 'certDuration' not in kwargs or '@' not in kwargs['email']: @@ -102,6 +104,7 @@ class Sign(AuthenticateRequest): class SignInResult(AuthenticateRequest): + @allow_iframe def GET(self, *args, **kwargs): user = UserSession().get_user() @@ -115,6 +118,7 @@ class SignIn(AuthenticateRequest): self.result = SignInResult(*args, **kwargs) self.trans = None + @allow_iframe def GET(self, *args, **kwargs): username = None domain = None @@ -144,6 +148,7 @@ class Persona(AuthenticateRequest): self.SignIn = SignIn(*args, **kwargs) self.trans = None + @allow_iframe def GET(self, *args, **kwargs): user = UserSession().get_user() return self._template('persona/provisioning.html', diff --git a/ipsilon/util/endpoint.py b/ipsilon/util/endpoint.py index f160329..0016bc2 100644 --- a/ipsilon/util/endpoint.py +++ b/ipsilon/util/endpoint.py @@ -4,6 +4,7 @@ import cherrypy from ipsilon.util.log import Log from ipsilon.util.user import UserSession from urllib import unquote +from functools import wraps try: from urlparse import urlparse except ImportError: @@ -11,6 +12,23 @@ except ImportError: from urllib.parse import urlparse +def allow_iframe(func): + """ + Remove the X-Frame-Options and CSP frame-options deny headers. + """ + @wraps(func) + def wrapper(*args, **kwargs): + result = func(*args, **kwargs) + for (header, value) in [ + ('X-Frame-Options', 'deny'), + ('Content-Security-Policy', 'frame-options \'deny\'')]: + if cherrypy.response.headers.get(header, None) == value: + cherrypy.response.headers.pop(header, None) + return result + + return wrapper + + class Endpoint(Log): def __init__(self, site): self._site = site @@ -19,6 +37,8 @@ class Endpoint(Log): self.default_headers = { 'Cache-Control': 'no-cache, no-store, must-revalidate, private', 'Pragma': 'no-cache', + 'Content-Security-Policy': 'frame-options \'deny\'', + 'X-Frame-Options': 'deny', } self.auth_protect = False |