Merge pull request #2716 from edx/cdodge/prevent-clickjacking

allow the prevention of the LMS/CMS from being renderable in an iframe

Merge pull request #2716 from edx/cdodge/prevent-clickjacking
allow the prevention of the LMS/CMS from being renderable in an iframe
a5132493 · chrisndodge · 6d3c62b2 · fce30825 · a5132493 · a5132493
Commit a5132493 authored Feb 28, 2014 by chrisndodge
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 0 deletions

cms/envs/aws.py
+3 -0

cms/envs/common.py
+6 -0

lms/djangoapps/branding/tests.py
+19 -0

lms/envs/aws.py
+3 -0

lms/envs/common.py
+5 -0

No files found.
--- a/cms/envs/aws.py
+++ b/cms/envs/aws.py
@@ -259,3 +259,6 @@ PASSWORD_DICTIONARY = ENV_TOKENS.get("PASSWORD_DICTIONARY", [])

 ### INACTIVITY SETTINGS ####
 SESSION_INACTIVITY_TIMEOUT_IN_SECONDS = AUTH_TOKENS.get("SESSION_INACTIVITY_TIMEOUT_IN_SECONDS")
+
+##### X-Frame-Options response header settings #####
+X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS)
--- a/cms/envs/common.py
+++ b/cms/envs/common.py
@@ -205,8 +205,14 @@ MIDDLEWARE_CLASSES = (

    # for expiring inactive sessions
    'session_inactivity_timeout.middleware.SessionInactivityTimeout',
+
+    # use Django built in clickjacking protection
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )

+# Clickjacking protection can be enabled by setting this to 'DENY'
+X_FRAME_OPTIONS = 'ALLOW'
+
 ############# XBlock Configuration ##########

 # This should be moved into an XBlock Runtime/Application object

--- a/lms/djangoapps/branding/tests.py
+++ b/lms/djangoapps/branding/tests.py
@@ -53,3 +53,22 @@ class AnonymousIndexPageTest(ModuleStoreTestCase):
    def test_anon_user_no_startdate_index(self):
        response = self.client.get('/')
        self.assertEqual(response.status_code, 200)
+
+    def test_allow_x_frame_options(self):
+        """
+        Check the x-frame-option response header
+        """
+
+        # check to see that the default setting is to ALLOW iframing
+        resp = self.client.get('/')
+        self.assertEquals(resp['X-Frame-Options'], 'ALLOW')
+
+    @override_settings(X_FRAME_OPTIONS='DENY')
+    def test_deny_x_frame_options(self):
+        """
+        Check the x-frame-option response header
+        """
+
+        # check to see that the override value is honored
+        resp = self.client.get('/')
+        self.assertEquals(resp['X-Frame-Options'], 'DENY')
--- a/lms/envs/aws.py
+++ b/lms/envs/aws.py
@@ -378,3 +378,6 @@ SESSION_INACTIVITY_TIMEOUT_IN_SECONDS = AUTH_TOKENS.get("SESSION_INACTIVITY_TIME
 ##### LMS DEADLINE DISPLAY TIME_ZONE #######
 TIME_ZONE_DISPLAYED_FOR_DEADLINES = ENV_TOKENS.get("TIME_ZONE_DISPLAYED_FOR_DEADLINES",
                                                   TIME_ZONE_DISPLAYED_FOR_DEADLINES)
+
+##### X-Frame-Options response header settings #####
+X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS)
--- a/lms/envs/common.py
+++ b/lms/envs/common.py
@@ -740,8 +740,13 @@ MIDDLEWARE_CLASSES = (
    # for expiring inactive sessions
    'session_inactivity_timeout.middleware.SessionInactivityTimeout',

+    # use Django built in clickjacking protection
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
 )

+# Clickjacking protection can be enabled by setting this to 'DENY'
+X_FRAME_OPTIONS = 'ALLOW'
+
 ############################### Pipeline #######################################

 STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'