fix: #8432, add CSP frame-ancestors

4 years ago · 46ab2711d4
parent 6fc31df033
commit 46ab2711d4
4 changed files with 32 additions and 3 deletions
--- a/public/language/en-GB/admin/settings/advanced.json
+++ b/public/language/en-GB/admin/settings/advanced.json
@ -5,6 +5,8 @@
 	"maintenance-mode.message": "Maintenance Message",
 	"headers": "Headers",
 	"headers.allow-from": "Set ALLOW-FROM to Place NodeBB in an iFrame",
+	"headers.csp-frame-ancestors": "Set Content-Security-Policy frame-ancestors header to Place NodeBB in an iFrame",
+	"headers.csp-frame-ancestors-help": "'none', 'self'(default) or list of URIs to allow.",
 	"headers.powered-by": "Customise the \"Powered By\" header sent by NodeBB",
 	"headers.acao": "Access-Control-Allow-Origin",
 	"headers.acao-regex": "Access-Control-Allow-Origin Regular Expression",
--- a/src/middleware/headers.js
+++ b/src/middleware/headers.js
@ -12,11 +12,20 @@ module.exports = function (middleware) {
 	middleware.addHeaders = helpers.try(function addHeaders(req, res, next) {
 		const headers = {
 			'X-Powered-By': encodeURI(meta.config['powered-by'] || 'NodeBB'),
-			'X-Frame-Options': meta.config['allow-from-uri'] ? 'ALLOW-FROM ' + encodeURI(meta.config['allow-from-uri']) : 'SAMEORIGIN',
 			'Access-Control-Allow-Methods': encodeURI(meta.config['access-control-allow-methods'] || ''),
 			'Access-Control-Allow-Headers': encodeURI(meta.config['access-control-allow-headers'] || ''),
 		};

+		if (meta.config['csp-frame-ancestors']) {
+			headers['Content-Security-Policy'] = 'frame-ancestors ' + meta.config['csp-frame-ancestors'];
+			if (meta.config['csp-frame-ancestors'] === '\'none\'') {
+				headers['X-Frame-Options'] = 'DENY';
+			}
+		} else {
+			headers['Content-Security-Policy'] = 'frame-ancestors \'self\'';
+			headers['X-Frame-Options'] = 'SAMEORIGIN';
+		}
+
 		if (meta.config['access-control-allow-origin']) {
 			let origins = meta.config['access-control-allow-origin'].split(',');
 			origins = origins.map(function (origin) {
--- a/src/upgrades/1.15.0/remove_allow_from_uri.js
+++ b/src/upgrades/1.15.0/remove_allow_from_uri.js
@ -0,0 +1,15 @@
+'use strict';
+
+const db = require('../../database');
+
+module.exports = {
+	name: 'Remove allow from uri setting',
+	timestamp: Date.UTC(2020, 8, 6),
+	method: async function () {
+		const meta = require('../../meta');
+		if (meta.config['allow-from-uri']) {
+			await db.setObjectField('config', 'csp-frame-ancestors', meta.config['allow-from-uri']);
+		}
+		await db.deleteObjectField('config', 'allow-from-uri');
+	},
+};
--- a/src/views/admin/settings/advanced.tpl
+++ b/src/views/admin/settings/advanced.tpl
@ -30,8 +30,11 @@
 	<div class="col-sm-10 col-xs-12">
 		<form>
 			<div class="form-group">
-				<label for="allow-from-uri">[[admin/settings/advanced:headers.allow-from]]</label>
-				<input class="form-control" id="allow-from-uri" type="text" placeholder="external-domain.com" data-field="allow-from-uri" /><br />
+				<label for="csp-frame-ancestors">[[admin/settings/advanced:headers.csp-frame-ancestors]]</label>
+				<input class="form-control" id="csp-frame-ancestors" type="text" placeholder="https://a.example.com https://b.example.com" data-field="csp-frame-ancestors" /><br />
+				<p class="help-block">
+					[[admin/settings/advanced:headers.csp-frame-ancestors-help]]
+				</p>
 			</div>
 			<div class="form-group">
 				<label for="powered-by">[[admin/settings/advanced:headers.powered-by]]</label>