Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Protect iFrame embed to whitelist #306

Open
wants to merge 1 commit into
base: oc-master
Choose a base branch
from
Open

Protect iFrame embed to whitelist #306

wants to merge 1 commit into from

Conversation

karendolan
Copy link
Member

@karendolan karendolan commented Apr 4, 2024
edited
Loading

NOTE: Leave this pull open in the case that non-Harvard site embed issues become a priority.

Verified whitelist and harvard.edu cases in QA-1420.
I verified local dev localhost whitelist works running local IC.

@karendolan
OPC-982 restrict iFrame embeds to *.harvard.edu, localhost testing, a…
5f099e0 
…nd config whitelist

- Update to use Content-Security-Policy: frame-ancestors instead of X-Frame-Options
- OPTION requests send origin header which is needed for the special cors headers
- Remove old headers
- support configurable whitelist
@karendolan karendolan force-pushed the t/Add-x-frame-origin-header-to-all branch from 43ecb98 to 5f099e0 Compare April 4, 2024 16:11
@karendolan
Copy link
Member Author

@lbjay @rute-santos FYI the issue with merging this is that we are afraid our videos are iFramed in non-harvard.edu sites and we didn't want to disturb that. It's a policy question whether to adopt this or not. This pull enables us to white-list non-harvard sites so they can embed, but we have to know about them to add then to the whitelist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@karendolan