Added decorator exclude_xframe_options_header

canonical · Jan 15, 2021 · 905a057 · 905a057
1 parent 27762db
commit 905a057
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 2 deletions.
diff --git a/canonicalwebteam/flask_base/app.py b/canonicalwebteam/flask_base/app.py
@@ -20,7 +20,17 @@
 
 
 def set_security_headers(response):
-    response.headers["X-Frame-Options"] = "SAMEORIGIN"
+    add_xframe_options_header = True
+
+    # Check if view_function has exclude_xframe_options_header decorator
+    if flask.request.endpoint in flask.current_app.view_functions:
+        view_func = flask.current_app.view_functions[flask.request.endpoint]
+        add_xframe_options_header = not hasattr(
+            view_func, "_exclude_xframe_options_header"
+        )
+
+    if add_xframe_options_header and "X-Frame-Options" not in response.headers:
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
 
     return response
 

diff --git a/canonicalwebteam/flask_base/decorators.py b/canonicalwebteam/flask_base/decorators.py
@@ -0,0 +1,3 @@
+def exclude_xframe_options_header(func):
+    func._exclude_xframe_options_header = True
+    return func
diff --git a/setup.py b/setup.py
@@ -2,7 +2,7 @@
 
 setup(
     name="canonicalwebteam.flask-base",
-    version="0.7.2",
+    version="0.7.3",
     description=(
         "Flask extension that applies common configurations"
         "to all of webteam's flask apps."