jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

frameAncestors -> csp

Browse Source 
It seems we cannot separate frame ancestors from CSP because the hide
header just hides everything and not a specific resource. This means
that the user has to set or unset the full policy whole sale.
This commit is contained in:
Girish Ramakrishnan
2019-10-14 16:59:22 -07:00
parent 61b6bee946
commit 8878bc4bf9
7 changed files with 29 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/routes/apps.js
+1 -5
View File
@@ -259,11 +259,7 @@ function setReverseProxyConfig(req, res, next) {
if (req.body.robotsTxt !== null && typeof req.body.robotsTxt !== 'string') return next(new HttpError(400, 'robotsTxt is not a string'));
if (!Array.isArray(req.body.frameAncestors)) return next(new HttpError(400, 'frameAncestors must be an array'));
if (req.body.frameAncestors.some(fa => typeof fa !== 'string')) return next(new HttpError(400, 'frameAncestors array must contain array of strings'));
if (!Array.isArray(req.body.hideHeaders)) return next(new HttpError(400, 'hideHeaders must be an array'));
if (req.body.hideHeaders.some(h => typeof h !== 'string')) return next(new HttpError(400, 'hideHeaders array must contain array of strings'));
if (req.body.csp !== null && typeof req.body.csp !== 'string') return next(new HttpError(400, 'csp is not a string'));
apps.setReverseProxyConfig(req.params.id, req.body, auditSource.fromRequest(req), function (error) {
if (error) return next(toHttpError(error));