See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work

changes/notes.rst

@@ -45,16 +45,56 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
 Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.
 
 
-Content-Security-Policy [manual action suggested]
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Content-Security-Policy and additional security headers [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 
 To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
-you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
-for both Docker and non-Docker deployments)::
+you add the following Content-Security-Policy to your nginx configuration.
+
+**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``::
 
     server {
-        # Security related headers
+
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+        }
     }
 
 Then reload nginx with ``systemctl reload nginx``.
+
+**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``::
+
+    server {
+
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias /frontent/embed.html;
+        }
+    }
+
+Then reload nginx with ``docker-compose restart nginx``.

deploy/docker.nginx.template

@@ -23,6 +23,10 @@ server {
 
     root /frontend;
 
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+
     location / {
         include /etc/nginx/funkwhale_proxy.conf;
         # this is needed if you have file import via upload enabled
@@ -31,12 +35,27 @@ server {
     }
 
     location /front/ {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        add_header X-Frame-Options "ALLOW";
         alias /frontend/;
         expires 30d;
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
 
+    location /front/embed.html {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        add_header X-Frame-Options "ALLOW";
+        alias /frontend/embed.html;
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+    }
+
     location /federation/ {
         include /etc/nginx/funkwhale_proxy.conf;
         proxy_pass   http://funkwhale-api/federation/;

deploy/nginx.template

@@ -41,8 +41,8 @@ server {
     # HSTS
     add_header Strict-Transport-Security "max-age=31536000";
 
-    # Security related headers
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+    add_header Referrer-Policy "strict-origin-when-cross-origin";
 
     root ${FUNKWHALE_FRONTEND_PATH};
 
@@ -81,11 +81,25 @@ server {
     }
 
     location /front/ {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        add_header X-Frame-Options "SAMEORIGIN";
         alias ${FUNKWHALE_FRONTEND_PATH}/;
         expires 30d;
         add_header Pragma public;
         add_header Cache-Control "public, must-revalidate, proxy-revalidate";
     }
+    location /front/embed.html {
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        add_header X-Frame-Options "ALLOW";
+        alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+        expires 30d;
+        add_header Pragma public;
+        add_header Cache-Control "public, must-revalidate, proxy-revalidate";
+    }
 
     location /federation/ {
         include /etc/nginx/funkwhale_proxy.conf;

docker/nginx/conf.dev

@@ -70,13 +70,23 @@ http {
             text/x-cross-domain-policy;
 
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
 
         location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
             # uncomment the following line and comment the proxy-pass one
             # to use the frontend build with "yarn build"
             #alias /frontend/dist/;
             proxy_pass   http://funkwhale-front/front/;
         }
+        location /front/embed.html {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "ALLOW";
+            proxy_pass   http://funkwhale-front/front/embed.html;
+        }
         location /front-server/ {
             proxy_pass   http://funkwhale-front/;
         }