Browse Source

Dissociate frameguard from csp

tags/v3.2.0-rc.1
Chocobozzz 1 year ago
parent
commit
8155db669b
No known key found for this signature in database GPG Key ID: 583A612D890159BE
6 changed files with 55 additions and 5 deletions
  1. +5
    -0
      config/default.yaml
  2. +5
    -0
      config/production.yaml.example
  3. +5
    -5
      server.ts
  4. +1
    -0
      server/initializers/checker-before-init.ts
  5. +5
    -0
      server/initializers/config.ts
  6. +34
    -0
      server/tests/api/server/config.ts

+ 5
- 0
config/default.yaml View File

@@ -153,6 +153,11 @@ csp:
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:

security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true

tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true


+ 5
- 0
config/production.yaml.example View File

@@ -151,6 +151,11 @@ csp:
report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
report_uri:

security:
# Set the X-Frame-Options header to help to mitigate clickjacking attacks
frameguard:
enabled: true

tracker:
# If you disable the tracker, you disable the P2P aspect of PeerTube
enabled: true


+ 5
- 5
server.ts View File

@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'

if (CONFIG.CSP.ENABLED) {
app.use(baseCSP)
app.use(helmet({
frameguard: {
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
},
hsts: false
}
if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
app.use(helmet.frameguard({
action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
}))
}



+ 1
- 0
server/initializers/checker-before-init.ts View File

@@ -17,6 +17,7 @@ function checkMissedConfig () {
'log.level',
'user.video_quota', 'user.video_quota_daily',
'csp.enabled', 'csp.report_only', 'csp.report_uri',
'security.frameguard.enabled',
'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',


+ 5
- 0
server/initializers/config.ts View File

@@ -134,6 +134,11 @@ const CONFIG = {
REPORT_ONLY: config.get<boolean>('csp.report_only'),
REPORT_URI: config.get<string>('csp.report_uri')
},
SECURITY: {
FRAMEGUARD: {
ENABLED: config.get<boolean>('security.frameguard.enabled')
}
},
TRACKER: {
ENABLED: config.get<boolean>('tracker.enabled'),
PRIVATE: config.get<boolean>('tracker.private'),


+ 34
- 0
server/tests/api/server/config.ts View File

@@ -12,6 +12,7 @@ import {
getConfig,
getCustomConfig,
killallServers,
makeGetRequest,
parallelTests,
registerUser,
reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
checkInitialConfig(server, data)
})

it('Should enable frameguard', async function () {
this.timeout(25000)

{
const res = await makeGetRequest({
url: server.url,
path: '/api/v1/config',
statusCodeExpected: 200
})

expect(res.headers['x-frame-options']).to.exist
}

killallServers([ server ])

const config = {
security: {
frameguard: { enabled: false }
}
}
server = await reRunServer(server, config)

{
const res = await makeGetRequest({
url: server.url,
path: '/api/v1/config',
statusCodeExpected: 200
})

expect(res.headers['x-frame-options']).to.not.exist
}
})

after(async function () {
await cleanupTests([ server ])
})


Loading…
Cancel
Save