eorn
/
funkwhale
mirror of https://dev.funkwhale.audio/funkwhale/funkwhale
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages

merge-requests/1388/head
JuniorJPDJ 7 months ago
committed by Georg Krause
parent
0abf71095c
commit
15ea984486
4 changed files with 8 additions and 8 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 1
      changes/changelog.d/1022.bugfix
  2. 5
      deploy/docker.nginx.template
  3. 6
      deploy/nginx.template
  4. 4
      docker/nginx/conf.dev

1
changes/changelog.d/1022.bugfix
View File

@ -0,0 +1 @@
Fix X-Frame-Options HTTP header for embed and force it to SAMEORIGIN value for other pages (fix #1022)

5
deploy/docker.nginx.template
View File

@ -28,7 +28,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
location / {
include /etc/nginx/funkwhale_proxy.conf;
@ -41,7 +41,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/";
add_header X-Frame-Options "ALLOW";
alias /frontend/;
expires 30d;
add_header Pragma public;
@ -52,7 +51,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
add_header X-Frame-Options "" always;
alias /frontend/embed.html;
expires 30d;
add_header Pragma public;

6
deploy/nginx.template
View File

@ -46,6 +46,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
root ${FUNKWHALE_FRONTEND_PATH};
@ -74,8 +75,8 @@ server {
text/vtt
text/x-component
text/x-cross-domain-policy;
# end of compression settings
location / {
include /etc/nginx/funkwhale_proxy.conf;
# this is needed if you have file import via upload enabled
@ -87,7 +88,6 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Service-Worker-Allowed "/";
add_header X-Frame-Options "SAMEORIGIN";
alias ${FUNKWHALE_FRONTEND_PATH}/;
expires 30d;
add_header Pragma public;
@ -97,7 +97,7 @@ server {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:; worker-src 'self'";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
add_header X-Frame-Options "" always;
alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
expires 30d;
add_header Pragma public;

4
docker/nginx/conf.dev
View File

@ -71,11 +71,11 @@ http {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN" always;
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
add_header Service-Worker-Allowed "/";
# uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build"
@ -85,7 +85,7 @@ http {
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
add_header X-Frame-Options "" always;
proxy_pass http://funkwhale-front/front/embed.html;
}
location /front-server/ {

Write Preview
Loading…
Cancel
Save