From fce30825df4dedac4d9031e492889dbab8c09b76 Mon Sep 17 00:00:00 2001 From: Chris Dodge Date: Mon, 24 Feb 2014 22:09:31 -0500 Subject: [PATCH] allow the prevention of the LMS/CMS from being renderable in an iframe --- cms/envs/aws.py | 3 +++ cms/envs/common.py | 6 ++++++ lms/djangoapps/branding/tests.py | 19 +++++++++++++++++++ lms/envs/aws.py | 3 +++ lms/envs/common.py | 5 +++++ 5 files changed, 36 insertions(+) diff --git a/cms/envs/aws.py b/cms/envs/aws.py index 2c4a43a772..2bdd075218 100644 --- a/cms/envs/aws.py +++ b/cms/envs/aws.py @@ -259,3 +259,6 @@ PASSWORD_DICTIONARY = ENV_TOKENS.get("PASSWORD_DICTIONARY", []) ### INACTIVITY SETTINGS #### SESSION_INACTIVITY_TIMEOUT_IN_SECONDS = AUTH_TOKENS.get("SESSION_INACTIVITY_TIMEOUT_IN_SECONDS") + +##### X-Frame-Options response header settings ##### +X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS) diff --git a/cms/envs/common.py b/cms/envs/common.py index 902bd59c1e..258a76bc65 100644 --- a/cms/envs/common.py +++ b/cms/envs/common.py @@ -205,8 +205,14 @@ MIDDLEWARE_CLASSES = ( # for expiring inactive sessions 'session_inactivity_timeout.middleware.SessionInactivityTimeout', + + # use Django built in clickjacking protection + 'django.middleware.clickjacking.XFrameOptionsMiddleware', ) +# Clickjacking protection can be enabled by setting this to 'DENY' +X_FRAME_OPTIONS = 'ALLOW' + ############# XBlock Configuration ########## # This should be moved into an XBlock Runtime/Application object diff --git a/lms/djangoapps/branding/tests.py b/lms/djangoapps/branding/tests.py index 3849e54161..357ddb8e37 100644 --- a/lms/djangoapps/branding/tests.py +++ b/lms/djangoapps/branding/tests.py @@ -53,3 +53,22 @@ class AnonymousIndexPageTest(ModuleStoreTestCase): def test_anon_user_no_startdate_index(self): response = self.client.get('/') self.assertEqual(response.status_code, 200) + + def test_allow_x_frame_options(self): + """ + Check the x-frame-option response header + """ + + # check to see that the default setting is to ALLOW iframing + resp = self.client.get('/') + self.assertEquals(resp['X-Frame-Options'], 'ALLOW') + + @override_settings(X_FRAME_OPTIONS='DENY') + def test_deny_x_frame_options(self): + """ + Check the x-frame-option response header + """ + + # check to see that the override value is honored + resp = self.client.get('/') + self.assertEquals(resp['X-Frame-Options'], 'DENY') diff --git a/lms/envs/aws.py b/lms/envs/aws.py index a427ff2f78..720d418c7e 100644 --- a/lms/envs/aws.py +++ b/lms/envs/aws.py @@ -378,3 +378,6 @@ SESSION_INACTIVITY_TIMEOUT_IN_SECONDS = AUTH_TOKENS.get("SESSION_INACTIVITY_TIME ##### LMS DEADLINE DISPLAY TIME_ZONE ####### TIME_ZONE_DISPLAYED_FOR_DEADLINES = ENV_TOKENS.get("TIME_ZONE_DISPLAYED_FOR_DEADLINES", TIME_ZONE_DISPLAYED_FOR_DEADLINES) + +##### X-Frame-Options response header settings ##### +X_FRAME_OPTIONS = ENV_TOKENS.get('X_FRAME_OPTIONS', X_FRAME_OPTIONS) diff --git a/lms/envs/common.py b/lms/envs/common.py index a9d2f75726..8dac6332a0 100644 --- a/lms/envs/common.py +++ b/lms/envs/common.py @@ -740,8 +740,13 @@ MIDDLEWARE_CLASSES = ( # for expiring inactive sessions 'session_inactivity_timeout.middleware.SessionInactivityTimeout', + # use Django built in clickjacking protection + 'django.middleware.clickjacking.XFrameOptionsMiddleware', ) +# Clickjacking protection can be enabled by setting this to 'DENY' +X_FRAME_OPTIONS = 'ALLOW' + ############################### Pipeline ####################################### STATICFILES_STORAGE = 'pipeline.storage.PipelineCachedStorage'