Add Content-Security-Policy header to nginx config (#434)

* Add Content-Security-Policy header to nginx config * Try to use newer version of python for test workflow * Downgrade the setuptools version to install demjson * Add wheel installation step * Use ubuntu-20.04 for github action runner * Add trusted host workaround for tests workflow * Freeze setuptools version to 57.4.0 * Use setuptools<58 * Use quotes for "setuptools<58" * Add wheel installation * Revert workflow changes and update changelog --------- Co-authored-by: Vladyslav Tymofeiev <“[email protected]”>
appsembler · Aug 13, 2024 · 6a43843 · 6a43843
1 parent 5be75c8
commit 6a43843
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml
@@ -27,6 +27,8 @@ jobs:
       uses: actions/setup-python@v3
       with:
         python-version: ${{ matrix.python-version }}
+      env:
+        PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
     - name: Install Dependencies
       run: |
         pip install demjson

diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml
@@ -33,4 +33,4 @@ jobs:
         pip install -r requirements.txt
     - name: Run Make test.syntax
       run: |
-        timeout 90m make --keep-going test.syntax 
+        timeout 90m make --keep-going test.syntax
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,10 @@
 All notable changes to this project will be documented in this file.
 Add any new changes to the top(right below this line).
 
+- Role: nginx
+  - Add the possibility to add the header `Content-Security-Policy frame-ancestors`. This is configured by the
+    EDXAPP_LMS_IFRAME_ENABLED switcher and EDXAPP_LMS_FRAME-ANCESTORS value.
+
 - Role: edxapp BREAKING_CHANGE
   - The sandbox environment that runs instructor written python code used to run python 2.7. We update the default to
     python 3.5 but provide a new variable to be able to go back to the old setting.  If `edxapp_sandbox_python_version`

diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -121,6 +121,11 @@ error_page {{ k }} {{ v }};
   # prevent the browser from doing MIME-type sniffing
   add_header X-Content-Type-Options nosniff;
 
+  {% if EDXAPP_LMS_IFRAME_ENABLED %}
+  # Allow iFrame for the provided hosts
+  add_header Content-Security-Policy "frame-ancestors 'self' {{ EDXAPP_LMS_FRAME-ANCESTORS }}";
+  {% endif %}
+
   # Prevent invalid display courseware in IE 10+ with high privacy settings
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';