allow the prevention of the LMS/CMS from being renderable in an iframe

696c4361 · Chris Dodge · Xavier Antoviaque · c60fa954 · 696c4361 · 696c4361
Commit 696c4361 authored Feb 24, 2014 by Chris Dodge Committed by Xavier Antoviaque Mar 03, 2014
Show whitespace changes
Inline Side-by-side

Showing with 39 additions and 0 deletions

cms/envs/aws.py
+3 -0

cms/envs/common.py
+7 -0

lms/djangoapps/branding/tests.py
+19 -0

lms/envs/aws.py
+3 -0

lms/envs/common.py
+7 -0

No files found.
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -264,3 +264,6 @@ PASSWORD_DICTIONARY = ENV_TOKENS.get("PASSWORD_DICTIONARY", [])
 ### INACTIVITY SETTINGS ####
 SESSION_INACTIVITY_TIMEOUT_IN_SECONDS = AUTH_TOKENS.get("SESSION_INACTIVITY_TIMEOUT_IN_SECONDS")
+##### X-Frame-Options response header settings #####
+X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS)
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -195,8 +195,15 @@ MIDDLEWARE_CLASSES = (
    # for expiring inactive sessions
    'session_inactivity_timeout.middleware.SessionInactivityTimeout',
+    # use Django built in clickjacking protection
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )
+# This can be overridden if one does not want LMS/CMS to be embeddable in
+# an iframe
+X_FRAME_OPTIONS = 'ALLOW'
 ############# XBlock Configuration ##########
 # This should be moved into an XBlock Runtime/Application object

--- a/lms/djangoapps/branding/tests.py
+++ b/lms/djangoapps/branding/tests.py
@@ -53,3 +53,22 @@ class AnonymousIndexPageTest(ModuleStoreTestCase):
    def test_anon_user_no_startdate_index(self):
        response = self.client.get('/')
        self.assertEqual(response.status_code, 200)
+    def test_allow_x_frame_options(self):
+        """
+        Check the x-frame-option response header
+        """
+        # check to see that the default setting is to ALLOW iframing
+        resp = self.client.get('/')
+        self.assertEquals(resp['X-Frame-Options'], 'ALLOW')
+    @override_settings(X_FRAME_OPTIONS='DENY')
+    def test_deny_x_frame_options(self):
+        """
+        Check the x-frame-option response header
+        """
+        # check to see that the override value is honored
+        resp = self.client.get('/')
+        self.assertEquals(resp['X-Frame-Options'], 'DENY')
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -383,3 +383,6 @@ if ENV_TOKENS.get('XBLOCK_SELECT_FUNCTION') == 'prefer_xmodules':
 ##### LMS DEADLINE DISPLAY TIME_ZONE #######
 TIME_ZONE_DISPLAYED_FOR_DEADLINES = ENV_TOKENS.get("TIME_ZONE_DISPLAYED_FOR_DEADLINES",
                                                   TIME_ZONE_DISPLAYED_FOR_DEADLINES)
+##### X-Frame-Options response header settings #####
+X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS)
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -732,8 +732,15 @@ MIDDLEWARE_CLASSES = (
    # for expiring inactive sessions
    'session_inactivity_timeout.middleware.SessionInactivityTimeout',
+    # use Django built in clickjacking protection
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )
+# This can be overridden if one does not want LMS/CMS to be embeddable in
+# an iframe
+X_FRAME_OPTIONS = 'ALLOW'
 ############################### Pipeline #######################################
 STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'