Dissociate frameguard from csp

This commit is contained in:
Chocobozzz 2021-04-12 15:33:54 +02:00
parent c24822a8fd
commit 8155db669b
No known key found for this signature in database
GPG Key ID: 583A612D890159BE
6 changed files with 55 additions and 5 deletions

View File

@ -153,6 +153,11 @@ csp:
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri: report_uri:
security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true
tracker: tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube # If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true enabled: true

View File

@ -151,6 +151,11 @@ csp:
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk! report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri: report_uri:
security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true
tracker: tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube # If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true enabled: true

View File

@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
if (CONFIG.CSP.ENABLED) { if (CONFIG.CSP.ENABLED) {
app.use(baseCSP) app.use(baseCSP)
app.use(helmet({ }
frameguard: {
if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
app.use(helmet.frameguard({
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
},
hsts: false
})) }))
} }

View File

@ -17,6 +17,7 @@ function checkMissedConfig () {
'log.level', 'log.level',
'user.video_quota', 'user.video_quota_daily', 'user.video_quota', 'user.video_quota_daily',
'csp.enabled', 'csp.report_only', 'csp.report_uri', 'csp.enabled', 'csp.report_only', 'csp.report_uri',
'security.frameguard.enabled',
'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled', 'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
'signup.enabled', 'signup.limit', 'signup.requires_email_verification', 'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist', 'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',

View File

@ -134,6 +134,11 @@ const CONFIG = {
REPORT_ONLY: config.get<boolean>('csp.report_only'), REPORT_ONLY: config.get<boolean>('csp.report_only'),
REPORT_URI: config.get<string>('csp.report_uri') REPORT_URI: config.get<string>('csp.report_uri')
}, },
SECURITY: {
FRAMEGUARD: {
ENABLED: config.get<boolean>('security.frameguard.enabled')
}
},
TRACKER: { TRACKER: {
ENABLED: config.get<boolean>('tracker.enabled'), ENABLED: config.get<boolean>('tracker.enabled'),
PRIVATE: config.get<boolean>('tracker.private'), PRIVATE: config.get<boolean>('tracker.private'),

View File

@ -12,6 +12,7 @@ import {
getConfig, getConfig,
getCustomConfig, getCustomConfig,
killallServers, killallServers,
makeGetRequest,
parallelTests, parallelTests,
registerUser, registerUser,
reRunServer, reRunServer,
@ -508,6 +509,39 @@ describe('Test config', function () {
checkInitialConfig(server, data) checkInitialConfig(server, data)
}) })
it('Should enable frameguard', async function () {
this.timeout(25000)
{
const res = await makeGetRequest({
url: server.url,
path: '/api/v1/config',
statusCodeExpected: 200
})
expect(res.headers['x-frame-options']).to.exist
}
killallServers([ server ])
const config = {
security: {
frameguard: { enabled: false }
}
}
server = await reRunServer(server, config)
{
const res = await makeGetRequest({
url: server.url,
path: '/api/v1/config',
statusCodeExpected: 200
})
expect(res.headers['x-frame-options']).to.not.exist
}
})
after(async function () { after(async function () {
await cleanupTests([ server ]) await cleanupTests([ server ])
}) })