diff --git a/apps/block_scout_web/lib/block_scout_web/plug/allow_iframe.ex b/apps/block_scout_web/lib/block_scout_web/plug/allow_iframe.ex new file mode 100644 index 0000000000..ee20311efc --- /dev/null +++ b/apps/block_scout_web/lib/block_scout_web/plug/allow_iframe.ex @@ -0,0 +1,14 @@ +defmodule BlockScoutWeb.Plug.AllowIframe do + @moduledoc """ + Allows for iframes by deleting the + [`X-Frame-Options` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options) + """ + + alias Plug.Conn + + def init(opts), do: opts + + def call(conn, _opts) do + Conn.delete_resp_header(conn, "x-frame-options") + end +end diff --git a/apps/block_scout_web/lib/block_scout_web/router.ex b/apps/block_scout_web/lib/block_scout_web/router.ex index 577a414163..b5825d44f5 100644 --- a/apps/block_scout_web/lib/block_scout_web/router.ex +++ b/apps/block_scout_web/lib/block_scout_web/router.ex @@ -55,8 +55,14 @@ defmodule BlockScoutWeb.Router do max_complexity: @max_complexity ) + # Disallows Iframes (write routes) scope "/", BlockScoutWeb do pipe_through(:browser) + end + + # Allows Iframes (read-only routes) + scope "/", BlockScoutWeb do + pipe_through([:browser, BlockScoutWeb.Plug.AllowIframe]) resources("/", ChainController, only: [:show], singleton: true, as: :chain) diff --git a/apps/block_scout_web/test/block_scout_web/controllers/tokens/inventory_controller_test.ex b/apps/block_scout_web/test/block_scout_web/controllers/tokens/inventory_controller_test.exs similarity index 100% rename from apps/block_scout_web/test/block_scout_web/controllers/tokens/inventory_controller_test.ex rename to apps/block_scout_web/test/block_scout_web/controllers/tokens/inventory_controller_test.exs