diff --git a/docs/content/configuration.md b/docs/content/configuration.md
index c6e3fc3eb..95ecada23 100644
--- a/docs/content/configuration.md
+++ b/docs/content/configuration.md
@@ -91,6 +91,7 @@ these are rarely used for various reasons.
| `csp.addGoogleAnalytics` | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true` | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks. |
| `csp.upgradeInsecureRequests` | | **`auto`** or `true` or `false` | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`. |
| `csp.reportUri` | `CMD_CSP_REPORTURI` | **`undefined`**, `https://<someid>.report-uri.com/r/d/csp/enforce` | Allows to add a URL for CSP reports in case of violations. |
+| `csp.allowFraming` | `CMD_CSP_ALLOW_FRAMING` | **`true`** or `false` | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages. |
| `cookiePolicy` | `CMD_COOKIE_POLICY` | **`lax`**, `strict` or `none` | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor. |
## Privacy and External Requests
diff --git a/lib/config/default.js b/lib/config/default.js
index c1f3f9733..89defb25e 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -25,7 +25,8 @@ module.exports = {
addDisqus: false,
addGoogleAnalytics: false,
upgradeInsecureRequests: 'auto',
- reportURI: undefined
+ reportURI: undefined,
+ allowFraming: true
},
cookiePolicy: 'lax',
protocolUseSSL: false,
diff --git a/lib/config/environment.js b/lib/config/environment.js
index 1a43a88f9..0464f7fb9 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -22,7 +22,8 @@ module.exports = {
enable: toBooleanConfig(process.env.CMD_CSP_ENABLE),
reportURI: process.env.CMD_CSP_REPORTURI,
addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
- addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS)
+ addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
+ allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
},
cookiePolicy: process.env.CMD_COOKIE_POLICY,
protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),
diff --git a/lib/csp.js b/lib/csp.js
index fa2f95bb3..98996073f 100644
--- a/lib/csp.js
+++ b/lib/csp.js
@@ -21,9 +21,7 @@ const defaultDirectives = {
],
styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
- mediaSrc: ['*'],
- childSrc: ['*'],
- connectSrc: ['*']
+ formAction: ['\'self\'']
}
const cdnDirectives = {
@@ -46,6 +44,10 @@ const dropboxDirectives = {
scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
}
+const disallowFramingDirectives = {
+ frameAncestors: ['\'self\'']
+}
+
CspStrategy.computeDirectives = function () {
const directives = {}
mergeDirectives(directives, config.csp.directives)
@@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () {
mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
+ mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
addInlineScriptExceptions(directives)
addUpgradeUnsafeRequestsOptionTo(directives)
addReportURI(directives)
@@ -92,7 +95,7 @@ function getCspNonce (req, res) {
}
function addUpgradeUnsafeRequestsOptionTo (directives) {
- if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
+ if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
directives.upgradeInsecureRequests = []
} else if (config.csp.upgradeInsecureRequests === true) {
directives.upgradeInsecureRequests = []