novaburst/funquail
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

See #880: updated CSP, added X-Frame-Options on front-end files, ensure embeds work

Browse source
This commit is contained in:
Eliot Berriot 2019-07-18 11:08:18 +02:00
commit 53782a5eb5
No known key found for this signature in database
GPG key ID: DD6965E2476E5C27
4 changed files with 89 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

10
docker/nginx/conf.dev
View file

@ -70,13 +70,23 @@ http {
text/x-cross-domain-policy;
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
location /front/ {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "SAMEORIGIN";
# uncomment the following line and comment the proxy-pass one
# to use the frontend build with "yarn build"
#alias /frontend/dist/;
proxy_pass http://funkwhale-front/front/;
}
location /front/embed.html {
add_header Content-Security-Policy "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self' data:; object-src 'none'; media-src 'self' data:";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header X-Frame-Options "ALLOW";
proxy_pass http://funkwhale-front/front/embed.html;
}
location /front-server/ {
proxy_pass http://funkwhale-front/;
}