diff --git a/changes/changelog.d/1022.bugfix b/changes/changelog.d/1022.bugfix
new file mode 100644
index 0000000000000000000000000000000000000000..77ac458b168eaa7aa5d87de3cfb7f78d449a8249
--- /dev/null
+++ b/changes/changelog.d/1022.bugfix
@@ -0,0 +1 @@
+Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages (fix #1022)
diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template
index b5f01eaec2d15ce481228e51d685320ace84b8c5..218dc313912f4da6372d94fed579b2b2dcef62c0 100644
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -28,7 +28,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
-
+ add_header X-Frame-Options "SAMEORIGIN" always;
location / {
include /etc/nginx/funkwhale_proxy.conf;
@@ -41,7 +41,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/";
- add_header X-Frame-Options "ALLOW";
alias /frontend/;
expires 30d;
add_header Pragma public;
@@ -52,7 +51,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
- add_header X-Frame-Options "ALLOW";
+ add_header X-Frame-Options "" always;
alias /frontend/embed.html;
expires 30d;
add_header Pragma public;
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 575030bbac99af2a52e51f3446b9d29390432ecb..b0c048c1de72ba5cf038f08a0f4c1484cd096353 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -46,6 +46,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "SAMEORIGIN" always;
root ${FUNKWHALE_FRONTEND_PATH};
@@ -74,8 +75,8 @@ server {
text/vtt
text/x-component
text/x-cross-domain-policy;
-
# end of compression settings
+
location / {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
@@ -87,7 +88,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/";
- add_header X-Frame-Options "SAMEORIGIN";
alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 30d;
add_header Pragma public;
@@ -97,7 +97,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
- add_header X-Frame-Options "ALLOW";
+ add_header X-Frame-Options "" always;
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 30d;
add_header Pragma public;
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index cb22ec56801f26e46ab7edb2788cf56df169fc4f..f3a7c8aec5cbcd5b5af7bc7b9b082475e73f8457 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -71,11 +71,11 @@ http {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
+ add_header X-Frame-Options "SAMEORIGIN" always;
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
- add_header X-Frame-Options "SAMEORIGIN";
add_header Service-Worker-Allowed "/";
# uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build"
@@ -85,7 +85,7 @@ http {
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
- add_header X-Frame-Options "ALLOW";
+ add_header X-Frame-Options "" always;
proxy_pass http://funkwhale-front/front/embed.html;
}
location /front-server/ {