Configure Padrino to set CSP header

[Makrau]

I have an application that uses Padrino and in it we are having a problem because there is a page that needs to be opened in an iframe in another application. At first the page is blocked because x-frame-options is set to sameorigin.

As I researched more details on, I found that the best solution would be to use Content Security Policy, which is supported by most browsers.

However, I can not get the Padrino to use it. I saw that the padrino uses Sinatra and Rack::Protection to set up the header, but I cannot get my application to put the Content-Security-Policy header on response.

I was able to disable x-frame-options to avoid conflicts, but I can not enable csp.

Here are my config\apps.rb

# config/apps.rb
Padrino.configure_apps do
  # enable :sessions
  set :session_secret, '<some secret>'
  set :protection, {:use => [:content_security_policy], :except => [:path_traversal, :frame_options], :frame_ancestors => "self <domain that will open my page>"}
  set :protect_from_csrf, true
end

Response Header:

HTTP/1.1 200 OK
Server: nginx/1.15.6
Date: Tue, 27 Nov 2018 12:18:42 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 18327
Connection: keep-alive
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

[achiurizo]

I haven't looked too closely at this issue, but you could take a look at the secure_headers library and see if that helps with setting it.

They have a guide to set it up with Sinatra(almost same setup with Padrino)