Skip to content

Protect iFrame embed to whitelist#306

Open
karendolan wants to merge 1 commit intooc-masterfrom
t/Add-x-frame-origin-header-to-all
Open

Protect iFrame embed to whitelist#306
karendolan wants to merge 1 commit intooc-masterfrom
t/Add-x-frame-origin-header-to-all

Conversation

@karendolan
Copy link
Member

@karendolan karendolan commented Apr 4, 2024
edited
Loading

NOTE: Leave this pull open in the case that non-Harvard site embed issues become a priority.

Verified whitelist and harvard.edu cases in QA-1420.
I verified local dev localhost whitelist works running local IC.

@karendolan
OPC-982 restrict iFrame embeds to *.harvard.edu, localhost testing, a…
5f099e0 
…nd config whitelist

- Update to use Content-Security-Policy: frame-ancestors instead of X-Frame-Options
- OPTION requests send origin header which is needed for the special cors headers
- Remove old headers
- support configurable whitelist
@karendolan karendolan force-pushed the t/Add-x-frame-origin-header-to-all branch from 43ecb98 to 5f099e0 Compare April 4, 2024 16:11
@karendolan
Copy link
Member Author

karendolan commented Jun 5, 2024

@lbjay @rute-santos FYI the issue with merging this is that we are afraid our videos are iFramed in non-harvard.edu sites and we didn't want to disturb that. It's a policy question whether to adopt this or not. This pull enables us to white-list non-harvard sites so they can embed, but we have to know about them to add then to the whitelist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@karendolan