Dissociate frameguard from csp

2021-04-12 15:33:54 +02:00 · 2021-04-12 15:33:54 +02:00 · 8155db669b
commit 8155db669b
parent c24822a8fd
6 changed files with 55 additions and 5 deletions
--- a/config/default.yaml
+++ b/config/default.yaml
@ -153,6 +153,11 @@ csp:
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:

+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: true
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@ -151,6 +151,11 @@ csp:
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:

+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: true
--- a/server.ts
+++ b/server.ts
@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'

 if (CONFIG.CSP.ENABLED) {
  app.use(baseCSP)
-  app.use(helmet({
-    frameguard: {
-      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-    },
-    hsts: false
+}
+
+if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
+  app.use(helmet.frameguard({
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
  }))
 }

--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@ -17,6 +17,7 @@ function checkMissedConfig () {
    'log.level',
    'user.video_quota', 'user.video_quota_daily',
    'csp.enabled', 'csp.report_only', 'csp.report_uri',
+    'security.frameguard.enabled',
    'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
    'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
    'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@ -134,6 +134,11 @@ const CONFIG = {
    REPORT_ONLY: config.get<boolean>('csp.report_only'),
    REPORT_URI: config.get<string>('csp.report_uri')
  },
+  SECURITY: {
+    FRAMEGUARD: {
+      ENABLED: config.get<boolean>('security.frameguard.enabled')
+    }
+  },
  TRACKER: {
    ENABLED: config.get<boolean>('tracker.enabled'),
    PRIVATE: config.get<boolean>('tracker.private'),
--- a/server/tests/api/server/config.ts
+++ b/server/tests/api/server/config.ts
@ -12,6 +12,7 @@ import {
  getConfig,
  getCustomConfig,
  killallServers,
+  makeGetRequest,
  parallelTests,
  registerUser,
  reRunServer,
@ -508,6 +509,39 @@ describe('Test config', function () {
    checkInitialConfig(server, data)
  })

+  it('Should enable frameguard', async function () {
+    this.timeout(25000)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.exist
+    }
+
+    killallServers([ server ])
+
+    const config = {
+      security: {
+        frameguard: { enabled: false }
+      }
+    }
+    server = await reRunServer(server, config)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.not.exist
+    }
+  })
+
  after(async function () {
    await cleanupTests([ server ])
  })