#412 Add configuration for the `frame-ancestors` value of CSP
Opened 2 months ago by abompard. Modified 2 months ago
abompard/ipsilon csp-frames  into  master

file modified
+1
@@ -6,6 +6,7 @@ 

  

  base.mount = "/idp"

  base.dir = "/usr/share/ipsilon"

+ csp.frame-ancestors = "'none'"

  admin.config.db = "/var/lib/ipsilon/adminconfig.sqlite"

  user.prefs.db = "/var/lib/ipsilon/userprefs.sqlite"

  

file modified
+3 -4
@@ -9,13 +9,12 @@ 

  

  def allow_iframe(func):

      """

-     Remove the X-Frame-Options and CSP frame-ancestors deny headers.

+     Remove the CSP frame-ancestors deny headers.

      """

      @wraps(func)

      def wrapper(*args, **kwargs):

          result = func(*args, **kwargs)

          for (header, value) in [

-                 ('X-Frame-Options', 'deny'),

                  ('Content-Security-Policy', 'frame-ancestors \'none\'')]:

              if cherrypy.response.headers.get(header, None) == value:

                  cherrypy.response.headers.pop(header, None)
@@ -29,11 +28,11 @@ 

          self._site = site

          self.basepath = cherrypy.config.get('base.mount', "")

          self.user = None

+         _frame_ancestors = cherrypy.config.get('csp.frame-ancestors', "'none'")

          self.default_headers = {

              'Cache-Control': 'no-cache, no-store, must-revalidate, private',

              'Pragma': 'no-cache',

-             'Content-Security-Policy': 'frame-ancestors \'none\'',

-             'X-Frame-Options': 'deny',

+             'Content-Security-Policy': f'frame-ancestors {_frame_ancestors}',

          }

          self.auth_protect = False

  

file modified
+3
@@ -50,6 +50,9 @@ 

  .B base.dir

  The Ipsilon UI base directory, e.g. \fI/usr/share/ipsilon\fR.

  .TP

+ .B csp.frame-ancestors

+ The value of frame-ancestors in the Content Security Policy. This defaults to 'none', which allows does not allow (i)frames.

+ .TP

  .B admin.config.db

  Database URL for storing Ipsilon administrative settings.

  .TP

file modified
+6
@@ -206,3 +206,9 @@ 

          page.expected_value('//div[@id="row_provider_http://keyless-sp"]/'

                              '@title',

                              'WARNING: SP does not have signing keys!')

+ 

+     with TC.case('Check CSP'):

+         page = sess.access("GET", 'https://127.0.0.10:45080/idp1/')

+         csp = page.headers.get("content-security-policy")

+         if csp != "frame-ancestors 'none'":

+             raise ValueError(f"Content Security Policy is set to {csp}")