fix(addFrameOptions): strict csp domain now matches

__tests__/server/middleware/addFrameOptionsHeader.spec.js

@@ -18,7 +18,7 @@ import addFrameOptionsHeader from '../../../src/server/middleware/addFrameOption
 
 jest.mock('../../../src/server/middleware/csp', () => ({
   getCSP: () => ({
-    'frame-ancestors': ['*.example.com'],
+    'frame-ancestors': ['valid.example.com'],
   }),
 }));
 
@@ -36,14 +36,14 @@ describe('addFrameOptionsHeader', () => {
 
   it('should add X-Frame-Options ALLOW-FROM header on approved ancestor', () => {
     req = {
-      get: jest.fn(() => 'https://external.example.com/embedded'),
+      get: jest.fn(() => 'https://valid.example.com/embedded'),
     };
     addFrameOptionsHeader(req, res, next);
 
     expect(req.get).toHaveBeenCalledWith('Referer');
     expect(res.set).toBeCalledWith(
       'X-Frame-Options',
-      'ALLOW-FROM https://external.example.com/embedded'
+      'ALLOW-FROM https://valid.example.com/embedded'
     );
     expect(next).toBeCalled();
   });

src/server/middleware/addFrameOptionsHeader.js

@@ -21,8 +21,8 @@ export default function addFrameOptionsHeader(req, res, next) {
   const referer = req.get('Referer');
 
   const frameAncestorDomains = getCSP()['frame-ancestors'];
-
-  const matchedDomain = frameAncestorDomains && frameAncestorDomains.find((domain) => matcher.isMatch(referer, `${domain}/*`)
+  const trimmedReferrer = referer && referer.replace('https://', '');
+  const matchedDomain = frameAncestorDomains && frameAncestorDomains.find((domain) => matcher.isMatch(trimmedReferrer, `${domain}/*`)
   );
 
   if (matchedDomain) {