From 15ea984486a050c74382fab2983b1e08d8b22555 Mon Sep 17 00:00:00 2001
From: JuniorJPDJ <git@juniorjpdj.pl>
Date: Wed, 20 Oct 2021 20:59:00 +0200
Subject: [PATCH] Fix X-Frame-Options HTTP header for embed and force it to
 SAMEORIGIN value for other pages

---
 changes/changelog.d/1022.bugfix | 1 +
 deploy/docker.nginx.template    | 5 ++---
 deploy/nginx.template           | 6 +++---
 docker/nginx/conf.dev           | 4 ++--
 4 files changed, 8 insertions(+), 8 deletions(-)
 create mode 100644 changes/changelog.d/1022.bugfix

diff --git a/changes/changelog.d/1022.bugfix b/changes/changelog.d/1022.bugfix
new file mode 100644
index 000000000..77ac458b1
--- /dev/null
+++ b/changes/changelog.d/1022.bugfix
@@ -0,0 +1 @@
+Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages (fix #1022)
diff --git a/deploy/docker.nginx.template b/deploy/docker.nginx.template
index b5f01eaec..218dc3139 100644
--- a/deploy/docker.nginx.template
+++ b/deploy/docker.nginx.template
@@ -28,7 +28,7 @@ server {
 
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
-
+    add_header X-Frame-Options "SAMEORIGIN" always;
 
     location / {
         include /etc/nginx/funkwhale_proxy.conf;
@@ -41,7 +41,6 @@ server {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header Service-Worker-Allowed "/";
-        add_header X-Frame-Options "ALLOW";
         alias /frontend/;
         expires 30d;
         add_header Pragma public;
@@ -52,7 +51,7 @@ server {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
-        add_header X-Frame-Options "ALLOW";
+        add_header X-Frame-Options "" always;
         alias /frontend/embed.html;
         expires 30d;
         add_header Pragma public;
diff --git a/deploy/nginx.template b/deploy/nginx.template
index 575030bba..b0c048c1d 100644
--- a/deploy/nginx.template
+++ b/deploy/nginx.template
@@ -46,6 +46,7 @@ server {
 
     add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
     add_header Referrer-Policy "strict-origin-when-cross-origin";
+    add_header X-Frame-Options "SAMEORIGIN" always;
 
     root ${FUNKWHALE_FRONTEND_PATH};
 
@@ -74,8 +75,8 @@ server {
         text/vtt
         text/x-component
         text/x-cross-domain-policy;
-
     # end of compression settings
+
     location / {
         include /etc/nginx/funkwhale_proxy.conf;
         # this is needed if you have file import via upload enabled
@@ -87,7 +88,6 @@ server {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
         add_header Service-Worker-Allowed "/";
-        add_header X-Frame-Options "SAMEORIGIN";
         alias ${FUNKWHALE_FRONTEND_PATH}/;
         expires 30d;
         add_header Pragma public;
@@ -97,7 +97,7 @@ server {
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
 
-        add_header X-Frame-Options "ALLOW";
+        add_header X-Frame-Options "" always;
         alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
         expires 30d;
         add_header Pragma public;
diff --git a/docker/nginx/conf.dev b/docker/nginx/conf.dev
index cb22ec568..f3a7c8aec 100644
--- a/docker/nginx/conf.dev
+++ b/docker/nginx/conf.dev
@@ -71,11 +71,11 @@ http {
 
         add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
         add_header Referrer-Policy "strict-origin-when-cross-origin";
+        add_header X-Frame-Options "SAMEORIGIN" always;
 
         location /front/ {
             add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
             add_header Referrer-Policy "strict-origin-when-cross-origin";
-            add_header X-Frame-Options "SAMEORIGIN";
             add_header Service-Worker-Allowed "/";
             # uncomment the following line and comment the proxy-pass one
             # to use the frontend build with "yarn build"
@@ -85,7 +85,7 @@ http {
         location /front/embed.html {
             add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
             add_header Referrer-Policy "strict-origin-when-cross-origin";
-            add_header X-Frame-Options "ALLOW";
+            add_header X-Frame-Options "" always;
             proxy_pass   http://funkwhale-front/front/embed.html;
         }
         location /front-server/ {
-- 
GitLab