Skip to content
This repository has been archived by the owner on May 3, 2024. It is now read-only.

Commit

Permalink
fix(addFrameOptions): strict csp domain now matches (#704)
Browse files Browse the repository at this point in the history
  • Loading branch information
@JAdshead
JAdshead authored Mar 24, 2022
1 parent f3f0c92 commit ee252db
Show file tree
Hide file tree
Showing 3 changed files with 6 additions and 6 deletions.
6 changes: 3 additions & 3 deletions __tests__/server/middleware/addFrameOptionsHeader.spec.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import addFrameOptionsHeader from '../../../src/server/middleware/addFrameOption

jest.mock('../../../src/server/middleware/csp', () => ({
getCSP: () => ({
'frame-ancestors': ['*.example.com'],
'frame-ancestors': ['valid.example.com'],
}),
}));

Expand All @@ -36,14 +36,14 @@ describe('addFrameOptionsHeader', () => {

it('should add X-Frame-Options ALLOW-FROM header on approved ancestor', () => {
req = {
get: jest.fn(() => 'https://external.example.com/embedded'),
get: jest.fn(() => 'https://valid.example.com/embedded'),
};
addFrameOptionsHeader(req, res, next);

expect(req.get).toHaveBeenCalledWith('Referer');
expect(res.set).toBeCalledWith(
'X-Frame-Options',
'ALLOW-FROM https://external.example.com/embedded'
'ALLOW-FROM https://valid.example.com/embedded'
);
expect(next).toBeCalled();
});
Expand Down
2 changes: 1 addition & 1 deletion package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions src/server/middleware/addFrameOptionsHeader.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ export default function addFrameOptionsHeader(req, res, next) {
const referer = req.get('Referer');

const frameAncestorDomains = getCSP()['frame-ancestors'];

const matchedDomain = frameAncestorDomains && frameAncestorDomains.find((domain) => matcher.isMatch(referer, `${domain}/*`)
const trimmedReferrer = referer && referer.replace('https://', '');
const matchedDomain = frameAncestorDomains && frameAncestorDomains.find((domain) => matcher.isMatch(trimmedReferrer, `${domain}/*`)
);

if (matchedDomain) {
Expand Down

0 comments on commit ee252db

Please sign in to comment.