Add config option to disallow framing via CSP

Signed-off-by: David Mehren <git@herrmehren.de>

lib/csp.js

@@ -21,9 +21,7 @@ const defaultDirectives = {
   ],
   styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
-  mediaSrc: ['*'],
-  childSrc: ['*'],
-  connectSrc: ['*']
+  formAction: ['\'self\'']
 }
 
 const cdnDirectives = {
@@ -46,6 +44,10 @@ const dropboxDirectives = {
   scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
 }
 
+const disallowFramingDirectives = {
+  frameAncestors: ['\'self\'']
+}
+
 CspStrategy.computeDirectives = function () {
   const directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
+  mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
   addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)
@@ -92,7 +95,7 @@ function getCspNonce (req, res) {
 }
 
 function addUpgradeUnsafeRequestsOptionTo (directives) {
-  if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
+  if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
     directives.upgradeInsecureRequests = []
   } else if (config.csp.upgradeInsecureRequests === true) {
     directives.upgradeInsecureRequests = []