diff --git a/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh b/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh new file mode 100644 index 000000000..e5cb213dd --- /dev/null +++ b/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh @@ -0,0 +1,9 @@ +#!/bin/sh + +COMPLETE_FILE="/etc/nginx/tpl/frame-ancestors.ok" +if [ -d "$(dirname "${COMPLETE_FILE}")" ]; then + if [ ! -f "${COMPLETE_FILE}" ]; then + touch "${COMPLETE_FILE}" + sed -i "s/frame-ancestors 'self'/frame-ancestors 'self' https:/" /etc/nginx/tpl/default.conf + fi +fi diff --git a/expose/api/docker/nginx/tpl/default.conf b/expose/api/docker/nginx/tpl/default.conf index 3dd809aba..71367ec5a 100644 --- a/expose/api/docker/nginx/tpl/default.conf +++ b/expose/api/docker/nginx/tpl/default.conf @@ -9,7 +9,7 @@ server { add_header X-Robots-Tag "noindex, nofollow"; add_header X-Content-Type-Options "nosniff"; - add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}"; + add_header Content-Security-Policy "frame-src 'self' ${DASHBOARD_CLIENT_URL}; frame-ancestors 'self'"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; client_max_body_size $UPLOAD_MAX_FILE_SIZE; diff --git a/infra/docker/nginx-client-base/tpl/default.conf b/infra/docker/nginx-client-base/tpl/default.conf index 5a004e577..8d6a70d85 100644 --- a/infra/docker/nginx-client-base/tpl/default.conf +++ b/infra/docker/nginx-client-base/tpl/default.conf @@ -3,7 +3,7 @@ server { add_header X-Robots-Tag "noindex, nofollow"; add_header X-Content-Type-Options "nosniff"; - add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}"; + add_header Content-Security-Policy "frame-src 'self' ${DASHBOARD_CLIENT_URL}; frame-ancestors 'self'"; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; root /var/app;