See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work

2019-07-18 11:08:18 +02:00 · 2019-07-18 11:08:18 +02:00 · 53782a5eb5
commit 53782a5eb5
parent 9c5f623d03
4 changed files with 89 additions and 6 deletions
--- a/changes/notes.rst
+++ b/changes/notes.rst
@ -45,16 +45,56 @@ Then, edit your ``/etc/systemd/system/funkwhale-server.service`` and replace the
 Then reload the configuration change with ``sudo systemctl daemon-reload`` and ``sudo systemctl restart funkwhale-server``.


-Content-Security-Policy [manual action suggested]
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Content-Security-Policy and additional security headers [manual action suggested]
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 To improve the security and reduce the attack surface in case of a successfull exploit, we suggest
-you add the following Content-Security-Policy to the Nginx configuration of your proxy (same value
-for both Docker and non-Docker deployments)::
+you add the following Content-Security-Policy to your nginx configuration.
+
+**On non-docker setups**, in ``/etc/nginx/sites-available/funkwhale.conf``::

    server {
-        # Security related headers
+
        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias ${FUNKWHALE_FRONTEND_PATH}/embed.html;
+        }
    }

 Then reload nginx with ``systemctl reload nginx``.
+
+**On docker setups**, in ``/srv/funkwhalenginx/funkwhale.template``::
+
+    server {
+
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+        add_header Referrer-Policy "strict-origin-when-cross-origin";
+
+        location /front/ {
+            add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
+            add_header Referrer-Policy "strict-origin-when-cross-origin";
+            add_header X-Frame-Options "SAMEORIGIN";
+            # … existing content here
+        }
+
+        # Also create a new location for the embeds to ensure external iframes work
+        # Simply copy-paste the /front/ location, but replace the following lines:
+        location /front/embed.html {
+            add_header X-Frame-Options "ALLOW";
+            alias /frontent/embed.html;
+        }
+    }
+
+Then reload nginx with ``docker-compose restart nginx``.