Allow frame ancestor URLs per CMS page

Valid Frame ancestor URLs are stored in the FDS page extension and are validated on save to be a space-separated list of URLs.
The CSP header is then set in the middleware that also disables X-Frame-Options selectively.

Author: stefanw

fragdenstaat_de/fds_cms/migrations/0068_fdspageextension_frame_ancestors.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.2.14 on 2024-08-12 08:49
+
+from django.db import migrations, models
+
+import fragdenstaat_de.fds_cms.models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("fds_cms", "0067_alter_pretixembedcmsplugin_additional_settings"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="fdspageextension",
+            name="frame_ancestors",
+            field=models.CharField(
+                blank=True,
+                max_length=255,
+                validators=[
+                    fragdenstaat_de.fds_cms.models.validate_space_separated_urls
+                ],
+                verbose_name="Space separated list of allowed frame ancestor URLs.",
+            ),
+        ),
+    ]

fragdenstaat_de/fds_cms/models.py

@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.core.exceptions import ValidationError
 from django.db import models
 from django.urls import NoReverseMatch
 from django.utils.translation import gettext_lazy as _
@@ -19,6 +20,20 @@
 from froide.publicbody.models import Category, Classification, Jurisdiction, PublicBody
 
 
+def validate_space_separated_urls(value):
+    if not value:
+        return
+    if ";" in value:
+        # Prevent adding different policy directives.
+        raise ValidationError("Use space separated URLs, no semicolons allowed.")
+    if len(value.splitlines()) > 1:
+        # Prevent header injection.
+        raise ValidationError("No line breaks allowed.")
+    for url in value.split(" "):
+        if not url.startswith("https://"):
+            raise ValidationError("Invalid URL: %s" % url)
+
+
 @extension_pool.register
 class FdsPageExtension(PageExtension):
     search_index = models.BooleanField(
@@ -57,6 +72,16 @@ class FdsPageExtension(PageExtension):
         ),
         default=False,
     )
+    frame_ancestors = models.CharField(
+        _("Space separated list of allowed frame ancestor URLs."),
+        max_length=255,
+        blank=True,
+        validators=[validate_space_separated_urls],
+    )
+
+    def get_frame_ancestors(self):
+        # Split by generic whitespace
+        return self.frame_ancestors.split()
 
 
 class PageAnnotationCMSPlugin(CMSPlugin):

fragdenstaat_de/theme/middleware.py

@@ -4,6 +4,16 @@
 class XFrameOptionsCSPMiddleware(XFrameOptionsMiddleware):
     def process_response(self, request, response):
         response = super().process_response(request, response)
+        current_page = getattr(request, "current_page", None)
+        if current_page is not None:
+            # current_page is a lazy object that only evaluates to None on attr access
+            extension = getattr(current_page, "fdspageextension", None)
+            if extension is not None and extension.frame_ancestors:
+                frame_ancestor_urls = " ".join(extension.get_frame_ancestors())
+                response.headers["Content-Security-Policy"] = (
+                    "frame-ancestors 'self' %s" % frame_ancestor_urls
+                )
+                del response["X-Frame-Options"]
         if response.has_header("X-Frame-Options"):
             response.headers["Content-Security-Policy"] = "frame-ancestors 'self'"
         return response