From 6ffed07ff908518a6ce56f7fd05ba5f2097318f8 Mon Sep 17 00:00:00 2001
From: Florian Apolloner <florian@apolloner.eu>
Date: Apr 20 2017 20:11:01 +0000
Subject: Fix frame-options in CSP


Signed-off-by: Florian Apolloner <florian@apolloner.eu>
Merges: #270
Reviewed-by: Howard Johnson <merlin@merlinthp.org>

---

diff --git a/ipsilon/util/endpoint.py b/ipsilon/util/endpoint.py
index b1552fe..49494fc 100644
--- a/ipsilon/util/endpoint.py
+++ b/ipsilon/util/endpoint.py
@@ -14,14 +14,14 @@ except ImportError:
 
 def allow_iframe(func):
     """
-    Remove the X-Frame-Options and CSP frame-options deny headers.
+    Remove the X-Frame-Options and CSP frame-ancestors deny headers.
     """
     @wraps(func)
     def wrapper(*args, **kwargs):
         result = func(*args, **kwargs)
         for (header, value) in [
                 ('X-Frame-Options', 'deny'),
-                ('Content-Security-Policy', 'frame-options \'deny\'')]:
+                ('Content-Security-Policy', 'frame-ancestors \'none\'')]:
             if cherrypy.response.headers.get(header, None) == value:
                 cherrypy.response.headers.pop(header, None)
         return result
@@ -37,7 +37,7 @@ class Endpoint(Log):
         self.default_headers = {
             'Cache-Control': 'no-cache, no-store, must-revalidate, private',
             'Pragma': 'no-cache',
-            'Content-Security-Policy': 'frame-options \'deny\'',
+            'Content-Security-Policy': 'frame-ancestors \'none\'',
             'X-Frame-Options': 'deny',
         }
         self.auth_protect = False