From b2771a29bb8654240536eb83b36ee7f5429742d3 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sat, 29 Dec 2018 11:48:02 +0100
Subject: [PATCH] Allow framing google.com on account signup page

This is used for the recaptcha. Also enable this for oauth signups,
previously missed.
---
 pgweb/account/views.py   | 6 +++++-
 pgweb/util/decorators.py | 3 +++
 pgweb/util/middleware.py | 5 ++++-
 3 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/pgweb/account/views.py b/pgweb/account/views.py
index 61210525..97ae3cf1 100644
--- a/pgweb/account/views.py
+++ b/pgweb/account/views.py
@@ -3,7 +3,7 @@ from django.contrib.auth import login as django_login
 import django.contrib.auth.views as authviews
 from django.http import HttpResponseRedirect, Http404, HttpResponse
 from django.shortcuts import get_object_or_404
-from pgweb.util.decorators import login_required, script_sources
+from pgweb.util.decorators import login_required, script_sources, frame_sources
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_encode
 from django.contrib.auth.tokens import default_token_generator
@@ -295,6 +295,7 @@ def reset_complete(request):
 
 @script_sources('https://www.google.com/recaptcha/')
 @script_sources('https://www.gstatic.com/recaptcha/')
+@frame_sources('https://www.google.com/')
 def signup(request):
 	if request.user.is_authenticated():
 		return HttpServerError(request, "You must log out before you can sign up for a new account")
@@ -351,6 +352,9 @@ def signup_complete(request):
 	})
 
 
+@script_sources('https://www.google.com/recaptcha/')
+@script_sources('https://www.gstatic.com/recaptcha/')
+@frame_sources('https://www.google.com/')
 @transaction.atomic
 def signup_oauth(request):
 	if not request.session.has_key('oauth_email') \
diff --git a/pgweb/util/decorators.py b/pgweb/util/decorators.py
index 2af6012e..ca8d40f1 100644
--- a/pgweb/util/decorators.py
+++ b/pgweb/util/decorators.py
@@ -42,6 +42,9 @@ def content_sources(what, source):
 def script_sources(source):
 	return content_sources('script', source)
 
+def frame_sources(source):
+	return content_sources('frame', source)
+
 # A wrapped version of login_required that throws an exception if it's
 # used on a path that's not under /account/.
 def login_required(f):
diff --git a/pgweb/util/middleware.py b/pgweb/util/middleware.py
index 9a982c69..01f6051d 100644
--- a/pgweb/util/middleware.py
+++ b/pgweb/util/middleware.py
@@ -50,7 +50,10 @@ class PgMiddleware(object):
 		])
 		if hasattr(response, 'x_allow_extra_sources'):
 			for k,v in response.x_allow_extra_sources.items():
-				sources[k].extend(v)
+				if k in sources:
+					sources[k].extend(v)
+				else:
+					sources[k] = v
 
 		security_policies = ["{0}-src {1}".format(k," ".join(v)) for k,v in sources.items()]
 
-- 
2.39.5