Skip to content

Commit

Permalink
fix '"X-Frame-Options: ALLOW-FROM ..." prevents iframe from loading' (c…
Browse files Browse the repository at this point in the history 
…lose DevExpress#1017)
  • Loading branch information
[email protected] authored and [email protected] committed Jan 30, 2017
1 parent d458607 commit dad40b2
Show file tree
Hide file tree
Showing 2 changed files with 84 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/request-pipeline/header-transforms.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,18 @@ var responseTransforms = {
var isCrossDomain = ctx.isIframe && !urlUtils.sameOriginCheck(ctx.dest.url, src);

return ctx.toProxyUrl(src, isCrossDomain, ctx.contentInfo.contentTypeUrlToken);
},

'x-frame-options': (src, ctx) => {
if (src.indexOf('ALLOW-FROM') === -1)
return src;

src = src.replace('ALLOW-FROM', '').trim();

var isCrossDomain = ctx.isIframe && !urlUtils.sameOriginCheck(ctx.dest.url, src);
var proxiedUrl = ctx.toProxyUrl(src, isCrossDomain, ctx.contentInfo.contentTypeUrlToken);

return 'ALLOW-FROM ' + proxiedUrl;
}
};

Expand Down
72 changes: 72 additions & 0 deletions test/server/proxy-test.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,13 @@ describe('Proxy', function () {
res.end('');
});

app.get('/x-frame-options/:value', function (req, res) {
var value = req.params.value;

res.setHeader('x-frame-options', value);
res.end('42');
});

destServer = app.listen(2000);


Expand Down Expand Up @@ -1624,5 +1631,70 @@ describe('Proxy', function () {
done();
});
});

it('Should procees "x-frame-options" header (GH-1017)', function () {
var getIframeProxyUrl = function (url) {
return urlUtils.getProxyUrl(url, {
proxyHostname: '127.0.0.1',
proxyPort: 1836,
sessionId: session.id,
resourceType: urlUtils.getResourceTypeString({ isIframe: true })
});
};
var getCrossDomainIframeProxyUrl = function (url) {
return urlUtils.getProxyUrl(url, {
proxyHostname: '127.0.0.1',
proxyPort: 1837,
sessionId: session.id,
resourceType: urlUtils.getResourceTypeString({ isIframe: true })
});
};

proxy.openSession('http://127.0.0.1:2000/', session);

var testCases = [
{
url: proxy.openSession('http://127.0.0.1:2000/x-frame-options/DENY', session),
expectedHeaderValue: 'DENY'
},
{
url: proxy.openSession('http://127.0.0.1:2000/x-frame-options/SAMEORIGIN', session),
expectedHeaderValue: 'SAMEORIGIN'
},
{
url: proxy.openSession('http://127.0.0.1:2000/x-frame-options/ALLOW-FROM%20https%3A%2F%2Fexample.com', session),
expectedHeaderValue: 'ALLOW-FROM ' + proxy.openSession('https://example.com', session)
},
{
url: proxy.openSession('http://127.0.0.1:2000/x-frame-options/ALLOW-FROM%20http%3A%2F%2F127.0.0.1%3A2000%2Fpage', session),
expectedHeaderValue: 'ALLOW-FROM ' + proxy.openSession('http://127.0.0.1:2000/page', session)
},
{
url: getIframeProxyUrl('http://127.0.0.1:2000/x-frame-options/ALLOW-FROM%20https%3A%2F%2Fexample.com'),
expectedHeaderValue: 'ALLOW-FROM ' + getCrossDomainIframeProxyUrl('https://example.com')
},
{
url: getIframeProxyUrl('http://127.0.0.1:2000/x-frame-options/ALLOW-FROM%20http%3A%2F%2F127.0.0.1%3A2000'),
expectedHeaderValue: 'ALLOW-FROM ' + getIframeProxyUrl('http://127.0.0.1:2000')
}
];


var testRequest = function (testCase) {
return new Promise(function (resolve) {
var options = {
url: testCase.url
};

request(options, function (err, req) {
expect(req.headers['x-frame-options']).eql(testCase.expectedHeaderValue);

resolve();
});
});
};

return Promise.all(testCases.map(testRequest));
});
});
});

0 comments on commit dad40b2

Please sign in to comment.