jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

frameAncestors -> csp

Browse Source 
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
This commit is contained in:
Girish Ramakrishnan
2019-10-14 16:59:22 -07:00
parent 61b6bee946
commit 8878bc4bf9
7 changed files with 29 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/nginxconfig.ejs
+4 -6
View File
@@ -98,14 +98,12 @@ server {
# CSP headers for the admin/dashboard resources
add_header Content-Security-Policy "default-src 'none'; frame-src 'self' cloudron.io *.cloudron.io; connect-src wss: https: 'self' *.cloudron.io; script-src https: 'self' 'unsafe-inline' 'unsafe-eval'; img-src * data:; style-src https: 'unsafe-inline'; object-src 'none'; font-src https: 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self';";
<% } else { %>
<% if (frameAncestorsQuoted) { %>
add_header Content-Security-Policy "Frame-ancestors <%- frameAncestorsQuoted %>";
<% } else { %>
add_header Content-Security-Policy "Frame-ancestors 'self'";
<% if (cspQuoted) { %>
add_header Content-Security-Policy <%- cspQuoted %>;
<% } %>
<% for (var i = 0; i < hiddenUpstreamHeaders.length; i++) { -%>
proxy_hide_header <%= hiddenUpstreamHeaders[i] %>;
<% for (var i = 0; i < hideHeaders.length; i++) { -%>
proxy_hide_header <%- hideHeaders[i] %>;
<% } %>
<% } -%>