Replace security_disable_frames with security_csp_frame_ancestors

ood-portal-generator/lib/ood_portal_generator/view.rb

@@ -38,7 +38,7 @@ def initialize(opts = {})
       @maintenance_ip_whitelist = Array(opts.fetch(:maintenance_ip_whitelist, []))
 
       # Security configuration
-      @security_disable_frames = opts.fetch(:security_disable_frames, true)
+      @security_csp_frame_ancestors = opts.fetch(:security_csp_frame_ancestors, "#{@protocol}#{@servername ?  @servername : OodPortalGenerator.fqdn}")
       @security_strict_transport = opts.fetch(:security_strict_transport, !@ssl.nil?)
 
       # Portal authentication

ood-portal-generator/share/ood_portal_example.yml

@@ -80,11 +80,13 @@
 # Default: [] (no IPs whitelisted)
 #maintenance_ip_whitelist: []
 
-# Set Header Content-Security-Policy to disallow OnDemand beind loaded in an iFrame.
+# Set Header Content-Security-Policy frame-ancestors.
 # Example:
-#   security_disable_frames: false
-# Default: true
-#security_disable_frames: true
+#   security_csp_frame_ancestors: https://ondemand.osc.edu
+# Example to disable setting:
+#   security_csp_frame_ancestors: false
+# Default: based on servername and ssl settings
+#security_disable_frames:
 
 # Set Header Strict-Transport-Security to help enforce SSL
 # Example:

ood-portal-generator/spec/fixtures/ood-portal.conf.default

@@ -57,7 +57,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
   # Lua configuration
   #

ood-portal-generator/spec/fixtures/ood-portal.conf.dex

@@ -57,7 +57,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
   # OIDC configuration
   #

ood-portal-generator/spec/fixtures/ood-portal.conf.dex-full

@@ -69,7 +69,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors https://example.com;"
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 
   SSLEngine On

ood-portal-generator/spec/fixtures/ood-portal.conf.dex-ldap

@@ -69,7 +69,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors https://example.com;"
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 
   SSLEngine On

ood-portal-generator/spec/fixtures/ood-portal.conf.maint_with_ips

@@ -59,7 +59,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
   # Lua configuration
   #

ood-portal-generator/spec/fixtures/ood-portal.conf.nomaint

@@ -48,7 +48,7 @@
   CustomLog "logs/access.log" combined
 
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors http://example.com;"
 
   # Lua configuration
   #

ood-portal-generator/spec/fixtures/ood-portal.conf.oidc

@@ -61,7 +61,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors http://ondemand.example.com;"
 
   # OIDC configuration
   #

ood-portal-generator/spec/fixtures/ood-portal.conf.oidc-ssl

@@ -69,7 +69,7 @@
   ErrorDocument 503 /public/maintenance/index.html
   Header Set Cache-Control "max-age=0, no-store"
 
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  Header always set Content-Security-Policy "frame-ancestors https://ondemand.example.com;"
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
 
   SSLEngine On

ood-portal-generator/spec/fixtures/sum.default

@@ -1 +1 @@
-9be4a58d643ec6f97069520f9e378b7ac5f1b5b9c74979293cb1144c0928e267 /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
+c8df0e79d2d670868b62ef4bdeed0a223c55c2e45efe80050dfae5c4324d24b5 /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf

ood-portal-generator/spec/update_ood_portal_spec.rb

@@ -32,6 +32,7 @@
 
   before(:each) do
     allow(OodPortalGenerator).to receive(:apache_group).and_return('apache')
+    allow(OodPortalGenerator).to receive(:fqdn).and_return('example.com')
   end
 
   after(:each) do
@@ -119,7 +120,6 @@
 
   context 'dex' do
     before(:each) do
-      allow(OodPortalGenerator).to receive(:fqdn).and_return('example.com')
       allow(OodPortalGenerator::Dex).to receive(:installed?).and_return(true)
       allow_any_instance_of(OodPortalGenerator::Dex).to receive(:enabled?).and_return(true)
       allow(OodPortalGenerator).to receive(:dex_user).and_return(user)

ood-portal-generator/templates/ood-portal.conf.erb

@@ -95,8 +95,8 @@ Listen <%= addr_port %>
   Header Set Cache-Control "max-age=0, no-store"
 
   <%- end -%>
-  <%- if @security_disable_frames -%>
-  Header always set Content-Security-Policy "frame-ancestors none;"
+  <%- if @security_csp_frame_ancestors -%>
+  Header always set Content-Security-Policy "frame-ancestors <%= @security_csp_frame_ancestors -%>;"
   <%- end -%>
   <%- if @security_strict_transport -%>
   Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"