From 254384cb229201c6af51c46e5c719c3e1bc03ab6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=B4mulo=20Penido?= <romulo.penido@gmail.com>
Date: Wed, 11 Sep 2024 16:54:50 -0300
Subject: [PATCH] fix: add CSP

---
 openedx/core/djangoapps/xblock/rest_api/views.py | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/openedx/core/djangoapps/xblock/rest_api/views.py b/openedx/core/djangoapps/xblock/rest_api/views.py
index 5a4243e45747..c6fc9f42ec1f 100644
--- a/openedx/core/djangoapps/xblock/rest_api/views.py
+++ b/openedx/core/djangoapps/xblock/rest_api/views.py
@@ -123,8 +123,11 @@ def embed_block_view(request, usage_key_str, view_name):
         'is_development': settings.DEBUG,
     }
     response = render(request, 'xblock_v2/xblock_iframe.html', context, content_type='text/html')
-    # TODO: add the course authoring MFE and learner MFE URLs to CSP frame-ancestors
-    # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+
+    # Only allow this iframe be embedded if the parent is in the CORS_ORIGIN_WHITELIST
+    cors_origin_whitelist = configuration_helpers.get_value('CORS_ORIGIN_WHITELIST', settings.CORS_ORIGIN_WHITELIST)
+    response["Content-Security-Policy"] = f"frame-ancestors 'self' {' '.join(cors_origin_whitelist)};"
+
     return response