| |
@@ -9,13 +9,12 @@
|
| |
|
| |
def allow_iframe(func):
|
| |
"""
|
| |
- Remove the X-Frame-Options and CSP frame-ancestors deny headers.
|
| |
+ Remove the CSP frame-ancestors deny headers.
|
| |
"""
|
| |
@wraps(func)
|
| |
def wrapper(*args, **kwargs):
|
| |
result = func(*args, **kwargs)
|
| |
for (header, value) in [
|
| |
- ('X-Frame-Options', 'deny'),
|
| |
('Content-Security-Policy', 'frame-ancestors \'none\'')]:
|
| |
if cherrypy.response.headers.get(header, None) == value:
|
| |
cherrypy.response.headers.pop(header, None)
|
| |
@@ -29,11 +28,11 @@
|
| |
self._site = site
|
| |
self.basepath = cherrypy.config.get('base.mount', "")
|
| |
self.user = None
|
| |
+ _frame_ancestors = cherrypy.config.get('csp.frame-ancestors', "'none'")
|
| |
self.default_headers = {
|
| |
'Cache-Control': 'no-cache, no-store, must-revalidate, private',
|
| |
'Pragma': 'no-cache',
|
| |
- 'Content-Security-Policy': 'frame-ancestors \'none\'',
|
| |
- 'X-Frame-Options': 'deny',
|
| |
+ 'Content-Security-Policy': f'frame-ancestors {_frame_ancestors}',
|
| |
}
|
| |
self.auth_protect = False
|
| |
|
| |
Add a configuration option to set the domains allowed to display Ipsilon
in a frame / iframe / embed using Content Security Policy.
Reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2235532