jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

frameAncestors -> csp

Browse Source 
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
This commit is contained in:
Girish Ramakrishnan
2019-10-14 16:59:22 -07:00
parent 61b6bee946
commit 8878bc4bf9
7 changed files with 29 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
src/reverseproxy.js
View File

@@ -464,11 +464,14 @@ function writeAppNginxConfig(app, bundle, callback) {
var sourceDir = path.resolve(__dirname, '..');
var endpoint = 'app';
let frameAncestorsQuoted = null, robotsTxtQuoted = null, hiddenUpstreamHeaders = [];
let robotsTxtQuoted = null, hideHeaders = [], cspQuoted = null;
const reverseProxyConfig = app.reverseProxyConfig || {}; // some of our code uses fake app objects
if (reverseProxyConfig.robotsTxt) robotsTxtQuoted = JSON.stringify(app.reverseProxyConfig.robotsTxt);
if (reverseProxyConfig.frameAncestors) frameAncestorsQuoted = app.reverseProxyConfig.frameAncestors.map(fa => `'${fa}'`).join(' ');
if (reverseProxyConfig.hideHeaders) hiddenUpstreamHeaders = app.reverseProxyConfig.hideHeaders;
if (reverseProxyConfig.csp) {
cspQuoted = `"${app.reverseProxyConfig.csp}"`;
hideHeaders = [ 'Content-Security-Policy' ];
if (reverseProxyConfig.csp.includes('frame-ancestors ')) hideHeaders.push('X-Frame-Options');
}
var data = {
sourceDir: sourceDir,
@@ -480,8 +483,8 @@ function writeAppNginxConfig(app, bundle, callback) {
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted,
frameAncestorsQuoted,
hiddenUpstreamHeaders
cspQuoted,
hideHeaders
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);
@@ -511,8 +514,8 @@ function writeAppRedirectNginxConfig(app, fqdn, bundle, callback) {
certFilePath: bundle.certFilePath,
keyFilePath: bundle.keyFilePath,
robotsTxtQuoted: null,
frameAncestorsQuoted: null,
hiddenUpstreamHeaders: []
cspQuoted: null,
hideHeaders: []
};
var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, data);