From bd44cbc16c7b2bf4961d5a2826f83f564767a20a Mon Sep 17 00:00:00 2001 From: David Mehren Date: Sun, 18 Jul 2021 09:59:14 +0200 Subject: [PATCH] Add config option to disallow framing via CSP Signed-off-by: David Mehren --- docs/content/configuration.md | 1 + lib/config/default.js | 3 ++- lib/config/environment.js | 3 ++- lib/csp.js | 11 +++++++---- 4 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/content/configuration.md b/docs/content/configuration.md index c6e3fc3eb..95ecada23 100644 --- a/docs/content/configuration.md +++ b/docs/content/configuration.md @@ -91,6 +91,7 @@ these are rarely used for various reasons. | `csp.addGoogleAnalytics` | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true` | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks. | | `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. | | `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. | +| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. | | `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. | ## Privacy and External Requests diff --git a/lib/config/default.js b/lib/config/default.js index c1f3f9733..89defb25e 100644 --- a/lib/config/default.js +++ b/lib/config/default.js @@ -25,7 +25,8 @@ module.exports = { addDisqus: false, addGoogleAnalytics: false, upgradeInsecureRequests: 'auto', - reportURI: undefined + reportURI: undefined, + allowFraming: true }, cookiePolicy: 'lax', protocolUseSSL: false, diff --git a/lib/config/environment.js b/lib/config/environment.js index 1a43a88f9..0464f7fb9 100644 --- a/lib/config/environment.js +++ b/lib/config/environment.js @@ -22,7 +22,8 @@ module.exports = { enable: toBooleanConfig(process.env.CMD_CSP_ENABLE), reportURI: process.env.CMD_CSP_REPORTURI, addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS), - addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS) + addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS), + allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING) }, cookiePolicy: process.env.CMD_COOKIE_POLICY, protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL), diff --git a/lib/csp.js b/lib/csp.js index fa2f95bb3..98996073f 100644 --- a/lib/csp.js +++ b/lib/csp.js @@ -21,9 +21,7 @@ const defaultDirectives = { ], styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/ - mediaSrc: ['*'], - childSrc: ['*'], - connectSrc: ['*'] + formAction: ['\'self\''] } const cdnDirectives = { @@ -46,6 +44,10 @@ const dropboxDirectives = { scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\''] } +const disallowFramingDirectives = { + frameAncestors: ['\'self\''] +} + CspStrategy.computeDirectives = function () { const directives = {} mergeDirectives(directives, config.csp.directives) @@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () { mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives) mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives) mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives) + mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives) addInlineScriptExceptions(directives) addUpgradeUnsafeRequestsOptionTo(directives) addReportURI(directives) @@ -92,7 +95,7 @@ function getCspNonce (req, res) { } function addUpgradeUnsafeRequestsOptionTo (directives) { - if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) { + if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) { directives.upgradeInsecureRequests = [] } else if (config.csp.upgradeInsecureRequests === true) { directives.upgradeInsecureRequests = []