#270 Fix frame-options in CSP
Merged 4 years ago by apollo13. Opened 4 years ago by apollo13.
apollo13/ipsilon frame_options  into  master

file modified
+3 -3
@@ -14,14 +14,14 @@ 

  

  def allow_iframe(func):

      """

-     Remove the X-Frame-Options and CSP frame-options deny headers.

+     Remove the X-Frame-Options and CSP frame-ancestors deny headers.

      """

      @wraps(func)

      def wrapper(*args, **kwargs):

          result = func(*args, **kwargs)

          for (header, value) in [

                  ('X-Frame-Options', 'deny'),

-                 ('Content-Security-Policy', 'frame-options \'deny\'')]:

+                 ('Content-Security-Policy', 'frame-ancestors \'none\'')]:

              if cherrypy.response.headers.get(header, None) == value:

                  cherrypy.response.headers.pop(header, None)

          return result
@@ -37,7 +37,7 @@ 

          self.default_headers = {

              'Cache-Control': 'no-cache, no-store, must-revalidate, private',

              'Pragma': 'no-cache',

-             'Content-Security-Policy': 'frame-options \'deny\'',

+             'Content-Security-Policy': 'frame-ancestors \'none\'',

              'X-Frame-Options': 'deny',

          }

          self.auth_protect = False

no initial comment

rebased

4 years ago

rebased

4 years ago

Commit 6ffed07 fixes this pull-request

Pull-Request has been merged by florian@apolloner.eu

4 years ago