Merge pull request code-dot-org#5440 from code-dot-org/dynamic_iframe_whitelist

philbogle · philbogle · commit fdeab02bd047 · 2015-11-17T09:42:13.000-08:00
Allow allowed_iframe_ancestors to be defined in DCDO or CDO
diff --git a/lib/cdo/rack/upgrade_insecure_requests.rb b/lib/cdo/rack/upgrade_insecure_requests.rb
@@ -51,13 +51,14 @@ def call(env)
           ]
         end
 
-        # If the CDO.allowed_iframe_ancestors configuration variable is
+        # If the DCDO or CDO allowed_iframe_ancestors configuration variable is
         # defined, override the default SAMEORIGIN policy to allow the
         # specified source list (as described in
         # http://w3c.github.io/webappsec-csp/#source-lists) to frame our
         # content.
-        if CDO.allowed_iframe_ancestors
-          policies << "frame-ancestors 'self' #{CDO.allowed_iframe_ancestors}"
+        allowed_iframe_ancestors = DCDO.get('allowed_iframe_ancestors', nil) || CDO.allowed_iframe_ancestors
+        if allowed_iframe_ancestors
+          policies << "frame-ancestors 'self' #{allowed_iframe_ancestors}"
 
           # Clear the older X-Frame-Options header because it doesn't support
           # multiple domains. We need to clear this because on Chrome,
