diff options
author | Rob Crittenden <rcritten@redhat.com> | 2015-04-23 16:42:27 -0400 |
---|---|---|
committer | Patrick Uiterwijk <puiterwijk@redhat.com> | 2015-04-24 19:10:34 +0200 |
commit | 44f663ac7dc5a6f28b25b083a21f6d9e912cff92 (patch) | |
tree | 1975cf213d09bd9f1988e191366636fe4d39fee8 /ipsilon/providers/persona | |
parent | b6d5f11ffe484e2ba7de14c7bac31c52461fe791 (diff) | |
download | ipsilon.git-44f663ac7dc5a6f28b25b083a21f6d9e912cff92.tar.gz ipsilon.git-44f663ac7dc5a6f28b25b083a21f6d9e912cff92.tar.xz ipsilon.git-44f663ac7dc5a6f28b25b083a21f6d9e912cff92.zip |
Disallow iframes via X-Frame-Options and CSP by default
A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.
The Persona plugin relies on iframes and uses this decorator
for all endpoints.
https://fedorahosted.org/ipsilon/ticket/15
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>
Diffstat (limited to 'ipsilon/providers/persona')
-rw-r--r-- | ipsilon/providers/persona/auth.py | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/ipsilon/providers/persona/auth.py b/ipsilon/providers/persona/auth.py index d314993..aeeaa5b 100644 --- a/ipsilon/providers/persona/auth.py +++ b/ipsilon/providers/persona/auth.py @@ -2,6 +2,7 @@ from ipsilon.providers.common import ProviderPageBase from ipsilon.util.user import UserSession +from ipsilon.util.endpoint import allow_iframe import base64 import cherrypy @@ -71,6 +72,7 @@ class Sign(AuthenticateRequest): return True return False + @allow_iframe def POST(self, *args, **kwargs): if 'email' not in kwargs or 'publicKey' not in kwargs \ or 'certDuration' not in kwargs or '@' not in kwargs['email']: @@ -93,6 +95,7 @@ class Sign(AuthenticateRequest): class SignInResult(AuthenticateRequest): + @allow_iframe def GET(self, *args, **kwargs): user = UserSession().get_user() @@ -106,6 +109,7 @@ class SignIn(AuthenticateRequest): self.result = SignInResult(*args, **kwargs) self.trans = None + @allow_iframe def GET(self, *args, **kwargs): username = None domain = None @@ -135,6 +139,7 @@ class Persona(AuthenticateRequest): self.SignIn = SignIn(*args, **kwargs) self.trans = None + @allow_iframe def GET(self, *args, **kwargs): user = UserSession().get_user() return self._template('persona/provisioning.html', |