From 6a438439b9919093b9bc263e58baaf7ef290a268 Mon Sep 17 00:00:00 2001
From: Vladyslav Tymofeiev <40686030+VladyslavTy@users.noreply.github.com>
Date: Tue, 13 Aug 2024 13:05:06 +0300
Subject: [PATCH] Add Content-Security-Policy header to nginx config (#434)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Add Content-Security-Policy header to nginx config

* Try to use newer version of python for test workflow

* Downgrade the setuptools version to install demjson

* Add wheel installation step

* Use ubuntu-20.04 for github action runner

* Add trusted host workaround for tests workflow

* Freeze setuptools version to 57.4.0

* Use setuptools<58

* Use quotes for "setuptools<58"

* Add wheel installation

* Revert workflow changes and update changelog

---------

Co-authored-by: Vladyslav Tymofeiev <“vladyslavty@softwareplanetgroup.com”>
---
 .github/workflows/playbook-test.yml                          | 2 ++
 .github/workflows/syntax-test.yml                            | 2 +-
 CHANGELOG.md                                                 | 4 ++++
 .../nginx/templates/edx/app/nginx/sites-available/lms.j2     | 5 +++++
 4 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/playbook-test.yml b/.github/workflows/playbook-test.yml
index 119c2d0d3a0..980ec0a2807 100644
--- a/.github/workflows/playbook-test.yml
+++ b/.github/workflows/playbook-test.yml
@@ -27,6 +27,8 @@ jobs:
       uses: actions/setup-python@v3
       with:
         python-version: ${{ matrix.python-version }}
+      env:
+        PIP_TRUSTED_HOST: "pypi.python.org pypi.org files.pythonhosted.org"
     - name: Install Dependencies
       run: |
         pip install demjson
diff --git a/.github/workflows/syntax-test.yml b/.github/workflows/syntax-test.yml
index 05b5c0eb711..690a90b9ee8 100644
--- a/.github/workflows/syntax-test.yml
+++ b/.github/workflows/syntax-test.yml
@@ -33,4 +33,4 @@ jobs:
         pip install -r requirements.txt
     - name: Run Make test.syntax
       run: |
-        timeout 90m make --keep-going test.syntax 
+        timeout 90m make --keep-going test.syntax
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 80855cf4846..21c74be4008 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,10 @@
 All notable changes to this project will be documented in this file.
 Add any new changes to the top(right below this line).
 
+- Role: nginx
+  - Add the possibility to add the header `Content-Security-Policy frame-ancestors`. This is configured by the
+    EDXAPP_LMS_IFRAME_ENABLED switcher and EDXAPP_LMS_FRAME-ANCESTORS value.
+
 - Role: edxapp BREAKING_CHANGE
   - The sandbox environment that runs instructor written python code used to run python 2.7. We update the default to
     python 3.5 but provide a new variable to be able to go back to the old setting.  If `edxapp_sandbox_python_version`
diff --git a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2 b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
index f159b9e5cad..cb5fe33d3de 100644
--- a/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
+++ b/playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2
@@ -121,6 +121,11 @@ error_page {{ k }} {{ v }};
   # prevent the browser from doing MIME-type sniffing
   add_header X-Content-Type-Options nosniff;
 
+  {% if EDXAPP_LMS_IFRAME_ENABLED %}
+  # Allow iFrame for the provided hosts
+  add_header Content-Security-Policy "frame-ancestors 'self' {{ EDXAPP_LMS_FRAME-ANCESTORS }}";
+  {% endif %}
+
   # Prevent invalid display courseware in IE 10+ with high privacy settings
   add_header P3P '{{ NGINX_P3P_MESSAGE }}';