Skip to content

Commit

Permalink
Merge pull request #2305 from Matt-Yorkley/uk/domain_headers
Browse files Browse the repository at this point in the history 
Ensure domain in SSL header matches request with or without www prefix
  • Loading branch information
@sauloperez
sauloperez authored May 23, 2018
2 parents d218a51 + c2934d3 commit 9d57beb
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
2 changes: 1 addition & 1 deletion app/controllers/application_controller.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ def enable_embedded_shopfront
return if embedding_without_https?

response.headers.delete 'X-Frame-Options'
response.headers['Content-Security-Policy'] = "frame-ancestors #{embedded_shopfront_referer}"
response.headers['Content-Security-Policy'] = "frame-ancestors #{URI(request.referer).host.downcase}"

check_embedded_request
set_embedded_layout
Expand Down
17 changes: 16 additions & 1 deletion spec/requests/embedded_shopfronts_headers_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@
context "with a valid whitelist" do
before do
Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://external-site.com/shop?embedded_shopfront=true')
end

it "allows iframes on certain pages when enabled in configuration" do
Expand All @@ -61,5 +61,20 @@
expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors 'none'"
end
end

context "with www prefix" do
before do
Spree::Config[:embedded_shopfronts_whitelist] = "example.com external-site.com"
allow_any_instance_of(ActionDispatch::Request).to receive(:referer).and_return('http://www.external-site.com/shop?embedded_shopfront=true')
end

it "matches the URL structure in the header" do
get shops_path

expect(response.status).to be 200
expect(response.headers['X-Frame-Options']).to be_nil
expect(response.headers['Content-Security-Policy']).to eq "frame-ancestors www.external-site.com"
end
end
end
end

0 comments on commit 9d57beb

Please sign in to comment.