jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Set CSP instead of frameAncestors

Browse Source
This commit is contained in:
Girish Ramakrishnan
2019-10-14 16:50:15 -07:00
parent 13c3624025
commit a641fec3ae
2 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
src/views/app.html
View File

@@ -624,14 +624,14 @@
<fieldset>
<form role="form" name="securityForm" ng-submit="security.submit()" autocomplete="off">
<div class="form-group">
<label class="control-label" style="width: 100%">Specify robots.txt file content <sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#indexing-by-search-engines-robotstxt" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> <a href="" class="pull-right" style="font-weight: normal;" ng-click="security.robotsTxt = ROBOTS_DISABLE_INDEXING_TEMPLATE">Disable indexing</a></label>
<label class="control-label" style="width: 100%">Robots.txt <sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#indexing-by-search-engines-robotstxt" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> <a href="" class="pull-right" style="font-weight: normal;" ng-click="security.robotsTxt = ROBOTS_DISABLE_INDEXING_TEMPLATE">Disable indexing</a></label>
<textarea ng-model="security.robotsTxt" placeholder="Leave empty to allow all bots to index this app" class="form-control" rows="4"></textarea>
</div>
<div class="form-group">
<label class="control-label" style="width: 100%">Content Embedding</label>
<p>Provide a space-separated list of domains that can embed this app</p>
<input type="text" class="form-control" ng-model="security.frameAncestors" placeholder="example.com *.example.com"></input>
<label class="control-label" style="width: 100%">Content Security Policy<sup><a ng-href="{{ config.webServerOrigin }}/documentation/apps/#custom-csp" class="help" target="_blank"><i class="fa fa-question-circle"></i></a></sup> </label>
<p>Setting this option will override any CSP headers sent by the app itself</p>
<textarea ng-model="security.csp" placeholder="default-src 'self'; frame-ancestors 'none';" class="form-control" rows="2"></textarea>
</div>
<input class="ng-hide" type="submit" ng-disabled="securityForm.$invalid || security.busy"/>