Disallow iframes via X-Frame-Options and CSP by defaultxframe_headers

A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.

The Persona plugin relies on iframes and uses this decorator
for all endpoints.

https://fedorahosted.org/ipsilon/ticket/15

Signed-off-by: Rob Crittenden <rcritten@redhat.com>

1 files changed, 5 insertions, 0 deletions

diff --git a/ipsilon/providers/persona/auth.py b/ipsilon/providers/persona/auth.py
index f713347..aedfbcf 100644
--- a/ipsilon/providers/persona/auth.py
+++ b/ipsilon/providers/persona/auth.py
@@ -3,6 +3,7 @@
 from ipsilon.providers.common import ProviderPageBase
 from ipsilon.util.trans import Transaction
 from ipsilon.util.user import UserSession
+from ipsilon.util.endpoint import allow_iframe
 
 import base64
 import cherrypy
@@ -80,6 +81,7 @@ class Sign(AuthenticateRequest):
                 return True
         return False
 
+    @allow_iframe
     def POST(self, *args, **kwargs):
         if 'email' not in kwargs or 'publicKey' not in kwargs \
                 or 'certDuration' not in kwargs or '@' not in kwargs['email']:
@@ -102,6 +104,7 @@ class Sign(AuthenticateRequest):
 
 
 class SignInResult(AuthenticateRequest):
+    @allow_iframe
     def GET(self, *args, **kwargs):
         user = UserSession().get_user()
 
@@ -115,6 +118,7 @@ class SignIn(AuthenticateRequest):
         self.result = SignInResult(*args, **kwargs)
         self.trans = None
 
+    @allow_iframe
     def GET(self, *args, **kwargs):
         username = None
         domain = None
@@ -144,6 +148,7 @@ class Persona(AuthenticateRequest):
         self.SignIn = SignIn(*args, **kwargs)
         self.trans = None
 
+    @allow_iframe
     def GET(self, *args, **kwargs):
         user = UserSession().get_user()
         return self._template('persona/provisioning.html',