MirrorMirror
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages

This commit is contained in:
JuniorJPDJ 2021-10-20 20:59:00 +02:00 committed by Georg Krause
parent 0abf71095c
commit 15ea984486
4 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changes/changelog.d/1022.bugfix Normal file
View File

@ -0,0 +1 @@
Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages (fix #1022)

5
deploy/docker.nginx.template
View File

@ -28,7 +28,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
location / { location / {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
@ -41,7 +41,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/"; add_header Service-Worker-Allowed "/";
add_header X-Frame-Options "ALLOW";
alias /frontend/; alias /frontend/;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;
@ -52,7 +51,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW"; add_header X-Frame-Options "" always;
alias /frontend/embed.html; alias /frontend/embed.html;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;

6
deploy/nginx.template
View File

@ -46,6 +46,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
root ${FUNKWHALE_FRONTEND_PATH}; root ${FUNKWHALE_FRONTEND_PATH};
@ -74,8 +75,8 @@ server {
text/vtt text/vtt
text/x-component text/x-component
text/x-cross-domain-policy; text/x-cross-domain-policy;
# end of compression settings # end of compression settings
location / { location / {
include /etc/nginx/funkwhale_proxy.conf; include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled # this is needed if you have file import via upload enabled
@ -87,7 +88,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/"; add_header Service-Worker-Allowed "/";
add_header X-Frame-Options "SAMEORIGIN";
alias ${FUNKWHALE_FRONTEND_PATH}/; alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;
@ -97,7 +97,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW"; add_header X-Frame-Options "" always;
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html; alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 30d; expires 30d;
add_header Pragma public; add_header Pragma public;

4
docker/nginx/conf.dev
View File

@ -71,11 +71,11 @@ http {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
location /front/ { location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
add_header Service-Worker-Allowed "/"; add_header Service-Worker-Allowed "/";
# uncomment the following line and comment the proxy-pass one # uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build" # to use the frontend build with "yarn build"
@ -85,7 +85,7 @@ http {
location /front/embed.html { location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:"; add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin"; add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW"; add_header X-Frame-Options "" always;
proxy_pass http://funkwhale-front/front/embed.html; proxy_pass http://funkwhale-front/front/embed.html;
} }
location /front-server/ { location /front-server/ {