Disallow iframes via X-Frame-Options and CSP by default

A decorator, allow_iframe, is also created so that specific
pages can remove the deny values and allow operating within
a frame.

The Persona plugin relies on iframes and uses this decorator
for all endpoints.

https://fedorahosted.org/ipsilon/ticket/15

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Patrick Uiterwijk <puiterwijk@redhat.com>

1 files changed, 20 insertions, 0 deletions

diff --git a/ipsilon/util/endpoint.py b/ipsilon/util/endpoint.py
index f160329..0016bc2 100644
--- a/ipsilon/util/endpoint.py
+++ b/ipsilon/util/endpoint.py
@@ -4,6 +4,7 @@ import cherrypy
 from ipsilon.util.log import Log
 from ipsilon.util.user import UserSession
 from urllib import unquote
+from functools import wraps
 try:
     from urlparse import urlparse
 except ImportError:
@@ -11,6 +12,23 @@ except ImportError:
     from urllib.parse import urlparse
 
 
+def allow_iframe(func):
+    """
+    Remove the X-Frame-Options and CSP frame-options deny headers.
+    """
+    @wraps(func)
+    def wrapper(*args, **kwargs):
+        result = func(*args, **kwargs)
+        for (header, value) in [
+                ('X-Frame-Options', 'deny'),
+                ('Content-Security-Policy', 'frame-options \'deny\'')]:
+            if cherrypy.response.headers.get(header, None) == value:
+                cherrypy.response.headers.pop(header, None)
+        return result
+
+    return wrapper
+
+
 class Endpoint(Log):
     def __init__(self, site):
         self._site = site
@@ -19,6 +37,8 @@ class Endpoint(Log):
         self.default_headers = {
             'Cache-Control': 'no-cache, no-store, must-revalidate, private',
             'Pragma': 'no-cache',
+            'Content-Security-Policy': 'frame-options \'deny\'',
+            'X-Frame-Options': 'deny',
         }
         self.auth_protect = False