Add config option to disallow framing via CSP

Signed-off-by: David Mehren <git@herrmehren.de>

docs/content/configuration.md

@@ -91,6 +91,7 @@ these are rarely used for various reasons.
 | `csp.addGoogleAnalytics`      | `CMD_CSP_ADD_GOOGLE_ANALYTICS` | **`false`** or `true`                                                                     | Enable to allow users to add Google Analytics to their notes. We don't recommend enabling this option, as it increases the attack surface of XSS attacks.                 |
 | `csp.upgradeInsecureRequests` |                                | **`auto`** or `true` or `false`                                                           | By default (`auto`), insecure (HTTP) requests are upgraded to HTTPS via CSP if `useSSL` is on. To change this behaviour, set to either `true` or `false`.                 |
 | `csp.reportUri`               | `CMD_CSP_REPORTURI`            | **`undefined`**, `https://<someid>.report-uri.com/r/d/csp/enforce`                        | Allows to add a URL for CSP reports in case of violations.                                                                                                                |
+| `csp.allowFraming`            | `CMD_CSP_ALLOW_FRAMING`        | **`true`** or `false`                                                                     | Disable to disallow framing of the instance. For increased security, we strongly recommend disabling this option, if you don't need to embed your notes in other pages.   |
 | `cookiePolicy`                | `CMD_COOKIE_POLICY`            | **`lax`**, `strict` or `none`                                                             | Set a SameSite policy whether cookies are send from cross-origin. Be careful: setting a SameSite value of none without https breaks the editor.                           | 
 
 ## Privacy and External Requests

lib/config/default.js

@@ -25,7 +25,8 @@ module.exports = {
     addDisqus: false,
     addGoogleAnalytics: false,
     upgradeInsecureRequests: 'auto',
-    reportURI: undefined
+    reportURI: undefined,
+    allowFraming: true
   },
   cookiePolicy: 'lax',
   protocolUseSSL: false,

lib/config/environment.js

@@ -22,7 +22,8 @@ module.exports = {
     enable: toBooleanConfig(process.env.CMD_CSP_ENABLE),
     reportURI: process.env.CMD_CSP_REPORTURI,
     addDisqus: toBooleanConfig(process.env.CMD_CSP_ADD_DISQUS),
-    addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS)
+    addGoogleAnalytics: toBooleanConfig(process.env.CMD_CSP_ADD_GOOGLE_ANALYTICS),
+    allowFraming: toBooleanConfig(process.env.CMD_CSP_ALLOW_FRAMING)
   },
   cookiePolicy: process.env.CMD_COOKIE_POLICY,
   protocolUseSSL: toBooleanConfig(process.env.CMD_PROTOCOL_USESSL),

lib/csp.js

@@ -21,9 +21,7 @@ const defaultDirectives = {
   ],
   styleSrc: [config.serverURL + '/build/', '\'unsafe-inline\'', 'https://github.githubassets.com'], // unsafe-inline is required for some libs, plus used in views
   objectSrc: ['*'], // Chrome PDF viewer treats PDFs as objects :/
-  mediaSrc: ['*'],
+  formAction: ['\'self\'']
-  childSrc: ['*'],
-  connectSrc: ['*']
 }
 
 const cdnDirectives = {
@@ -46,6 +44,10 @@ const dropboxDirectives = {
   scriptSrc: ['https://www.dropbox.com', '\'unsafe-inline\'']
 }
 
+const disallowFramingDirectives = {
+  frameAncestors: ['\'self\'']
+}
+
 CspStrategy.computeDirectives = function () {
   const directives = {}
   mergeDirectives(directives, config.csp.directives)
@@ -54,6 +56,7 @@ CspStrategy.computeDirectives = function () {
   mergeDirectivesIf(config.csp.addDisqus, directives, disqusDirectives)
   mergeDirectivesIf(config.csp.addGoogleAnalytics, directives, googleAnalyticsDirectives)
   mergeDirectivesIf(config.dropbox.appKey, directives, dropboxDirectives)
+  mergeDirectivesIf(!config.csp.allowFraming, directives, disallowFramingDirectives)
   addInlineScriptExceptions(directives)
   addUpgradeUnsafeRequestsOptionTo(directives)
   addReportURI(directives)
@@ -92,7 +95,7 @@ function getCspNonce (req, res) {
 }
 
 function addUpgradeUnsafeRequestsOptionTo (directives) {
-  if (config.csp.upgradeInsecureRequests === 'auto' && config.useSSL) {
+  if (config.csp.upgradeInsecureRequests === 'auto' && (config.useSSL || config.protocolUseSSL)) {
     directives.upgradeInsecureRequests = []
   } else if (config.csp.upgradeInsecureRequests === true) {
     directives.upgradeInsecureRequests = []