Move embed security headers from h5bp to wordpress-site.conf

roots · Apr 10, 2018 · 7853016 · 7853016
1 parent c8e2f51
commit 7853016
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 11 deletions.
diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf
@@ -1,12 +1,6 @@
 # The X-Frame-Options header indicates whether a browser should be allowed
 # to render a page within a frame or iframe.
-# Avoid SAMEORIGIN conflict with ALLOW-FROM in Safari with WordPress Customizer
-# until https://core.trac.wordpress.org/ticket/40020 is resolved
-set $x_frame_options SAMEORIGIN;
-if ($arg_customize_changeset_uuid) {
-  set $x_frame_options "";
-}
-add_header X-Frame-Options $x_frame_options always;
+# add_header X-Frame-Options SAMEORIGIN always;
 
 # MIME type sniffing security protection
 #	There are very few edge cases where you wouldn't want this enabled.
@@ -21,7 +15,3 @@ add_header X-XSS-Protection "1; mode=block" always;
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
-
-# The HTTP Content-Security-Policy (CSP) frame-ancestors directive specifies valid parents
-# that may embed a page using <frame>, <iframe>, <object>, <embed>, or <applet>.
-add_header Content-Security-Policy "frame-ancestors 'self'" always;
diff --git a/roles/wordpress-setup/templates/wordpress-site.conf.j2 b/roles/wordpress-setup/templates/wordpress-site.conf.j2
@@ -161,6 +161,20 @@ server {
 
   {% endblock %}
 
+  {% block embed_security -%}
+  {% if item.value.nginx_embed_security | default(nginx_embed_security | default(true)) -%}
+  add_header Content-Security-Policy "frame-ancestors 'self'" always;
+
+  # Conditional X-Frame-Options until https://core.trac.wordpress.org/ticket/40020 is resolved
+  set $x_frame_options SAMEORIGIN;
+  if ($arg_customize_changeset_uuid) {
+    set $x_frame_options "";
+  }
+  add_header X-Frame-Options $x_frame_options always;
+
+  {% endif -%}
+  {% endblock -%}
+
   {% block location_php -%}
   location ~ \.php$ {
     {% block location_php_basic -%}