From 4467a3703f8f0f1d74e1d463174a4f951342a3c9 Mon Sep 17 00:00:00 2001
From: Matt Clarkson <mattc@catalyst.net.nz>
Date: Thu, 8 Mar 2018 10:06:22 +1300
Subject: [PATCH] Bug 1789297: module/lti: Allow mahara to load in an iframe

behatnotneeded

Change-Id: I4d88cba9ca6bf9629a99203ac8ed1561e3d77c0d
---
 htdocs/init.php | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/htdocs/init.php b/htdocs/init.php
index 28f37f2eb1..d67aabd5ea 100644
--- a/htdocs/init.php
+++ b/htdocs/init.php
@@ -363,7 +363,7 @@ if (!defined('CLI')) {
     header('Pragma: no-cache');
 
     // Security headers. See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
-    header('X-Frame-Options: SAMEORIGIN');
+
     header('X-XSS-Protection: 1; mode=block');
     header('X-Content-Type-Options: nosniff');
     header('X-Permitted-Cross-Domain-Policies: master-only');
@@ -372,6 +372,16 @@ if (!defined('CLI')) {
     }
     // Don't print precise PHP version as an HTTP header
     header_remove('x-powered-by');
+
+    // Allow LTI to load in an iframe
+    if ($csp_ancestor_exemption = $SESSION->get('csp-ancestor-exemption')) {
+        header("Content-Security-Policy: frame-ancestors 'self' $csp_ancestor_exemption");
+        header('X-Frame-Options: ALLOW-FROM '. $csp_ancestor_exemption);
+    }
+    else {
+        header("Content-Security-Policy: frame-ancestors 'self'");
+        header('X-Frame-Options: SAMEORIGIN');
+    }
 }
 
 // Only do authentication once we know the page theme, so that the login form
-- 
GitLab