Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages

15ea9844 · JuniorJPDJ · Georg Krause · 0abf7109 · 15ea9844 · 15ea9844
Commit 15ea9844 authored 3 years ago by JuniorJPDJ Committed by Georg Krause 3 years ago
--- a/changes/changelog.d/1022.bugfix
+++ b/changes/changelog.d/1022.bugfix
+Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages (fix #1022)
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -28,7 +28,7 @@ server {

    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
-
+    add_header X-Frame-Options "SAMEORIGIN" always;

    location / {
        include /etc/nginx/funkwhale_proxy.conf;
@@ -41,7 +41,6 @@ server {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Service-Worker-Allowed "/";
-        add_header X-Frame-Options "ALLOW";
        alias /frontend/;
        expires 30d;
        add_header Pragma public;
@@ -52,7 +51,7 @@ server {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        add_header X-Frame-Options "ALLOW";
+        add_header X-Frame-Options "" always;
        alias /frontend/embed.html;
        expires 30d;
        add_header Pragma public;

--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -46,6 +46,7 @@ server {

    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
    add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;

    root ${FUNKWHALE_FRONTEND_PATH};

@@ -74,8 +75,8 @@ server {
        text/vtt
        text/x-component
        text/x-cross-domain-policy;
-
    # end of compression settings
+
    location / {
        include /etc/nginx/funkwhale_proxy.conf;
        # this is needed if you have file import via upload enabled
@@ -87,7 +88,6 @@ server {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Service-Worker-Allowed "/";
-        add_header X-Frame-Options "SAMEORIGIN";
        alias ${FUNKWHALE_FRONTEND_PATH}/;
        expires 30d;
        add_header Pragma public;
@@ -97,7 +97,7 @@ server {
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
        add_header Referrer-Policy "strict-origin-when-cross-origin";

-        add_header X-Frame-Options "ALLOW";
+        add_header X-Frame-Options "" always;
        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
        expires 30d;
        add_header Pragma public;

--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -71,11 +71,11 @@ http {

        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header X-Frame-Options "SAMEORIGIN" always;

        location /front/ {
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
-            add_header X-Frame-Options "SAMEORIGIN";
            add_header Service-Worker-Allowed "/";
            # uncomment the following line and comment the proxy-pass one
            # to use the frontend build with "yarn build"
@@ -85,7 +85,7 @@ http {
        location /front/embed.html {
            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
            add_header Referrer-Policy "strict-origin-when-cross-origin";
-            add_header X-Frame-Options "ALLOW";
+            add_header X-Frame-Options "" always;
            proxy_pass   http://funkwhale-front/front/embed.html;
        }
        location /front-server/ {