From f092bf11beddde3e4c63d957f85a40c7629d1310 Mon Sep 17 00:00:00 2001
From: Mathias Rav <m@git.strova.dk>
Date: Mon, 30 Jul 2018 13:19:34 +0200
Subject: [PATCH] Set X-Frame-Options: SAMEORIGIN on preview

If a project has X_FRAME_OPTIONS = 'DENY' in its settings,
then the preview iframe is not shown. Simply force X-Frame-Options
to be SAMEORIGIN to avoid this problem.
---
 src/wiki/views/article.py |  2 ++
 tests/core/test_views.py  | 22 ++++++++++++++++++++--
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/wiki/views/article.py b/src/wiki/views/article.py
index c6b2df13..db3edb08 100644
--- a/src/wiki/views/article.py
+++ b/src/wiki/views/article.py
@@ -15,6 +15,7 @@ from django.views.generic import DetailView
 from django.views.generic.base import RedirectView, TemplateView, View
 from django.views.generic.edit import FormView
 from django.views.generic.list import ListView
+from django.views.decorators.clickjacking import xframe_options_sameorigin
 from wiki import editors, forms, models
 from wiki.conf import settings
 from wiki.core import permissions
@@ -822,6 +823,7 @@ class Preview(ArticleMixin, TemplateView):
 
     template_name = "wiki/preview_inline.html"
 
+    @method_decorator(xframe_options_sameorigin)
     @method_decorator(get_article(can_read=True, deleted_contents=True))
     def dispatch(self, request, article, *args, **kwargs):
         revision_id = request.GET.get('r', None)
diff --git a/tests/core/test_views.py b/tests/core/test_views.py
index 7585f875..cf62f9fb 100644
--- a/tests/core/test_views.py
+++ b/tests/core/test_views.py
@@ -269,11 +269,11 @@ class MoveViewTest(RequireRootArticleMixin, ArticleWebTestUtils, DjangoClientTes
 
         response = self.get_by_path('test0/test2/')
         self.assertContains(response, 'Moved: Test1')
-        self.assertRegex(response.content, br'moved to <a[^>]*>wiki:/test1new/')
+        self.assertRegex(response.rendered_content, r'moved to <a[^>]*>wiki:/test1new/')
 
         response = self.get_by_path('test0/test2/test020/')
         self.assertContains(response, 'Moved: Test020')
-        self.assertRegex(response.content, br'moved to <a[^>]*>wiki:/test1new/test020')
+        self.assertRegex(response.rendered_content, r'moved to <a[^>]*>wiki:/test1new/test020')
 
         # Check that moved_to was correctly set
         urlsrc = URLPath.get_by_path('/test0/test2/')
@@ -348,6 +348,24 @@ class EditViewTest(RequireRootArticleMixin, ArticleWebTestUtils, DjangoClientTes
 
         self.assertContains(response, 'The modified text')
 
+    def test_preview_xframe_options_sameorigin(self):
+        """Ensure that preview response has X-Frame-Options: SAMEORIGIN"""
+
+        example_data = {
+            'content': 'The modified text',
+            'current_revision': str(URLPath.root().article.current_revision.id),
+            'preview': '1',
+            'summary': 'why edited',
+            'title': 'wiki test'
+        }
+
+        response = self.client.post(
+            resolve_url('wiki:preview', path=''),
+            example_data
+        )
+
+        self.assertEquals(response.get('X-Frame-Options'), 'SAMEORIGIN')
+
     def test_revision_conflict(self):
         """
         Test the warning if the same article is being edited concurrently.
-- 
2.45.2