From ea87372dda3b1f5f0dc17c879a070d35ef9b6349 Mon Sep 17 00:00:00 2001
From: Arthur M <4rthem@users.noreply.github.com>
Date: Tue, 10 Dec 2024 16:00:11 +0100
Subject: [PATCH] PS-743 add csp frame-src and frame-ancestors (#501)

---
 .../client/docker/entrypoint.d/02-frame-ancestro-csp.sh  | 9 +++++++++
 expose/api/docker/nginx/tpl/default.conf                 | 2 +-
 infra/docker/nginx-client-base/tpl/default.conf          | 2 +-
 3 files changed, 11 insertions(+), 2 deletions(-)
 create mode 100644 dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh

diff --git a/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh b/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh
new file mode 100644
index 000000000..e5cb213dd
--- /dev/null
+++ b/dashboard/client/docker/entrypoint.d/02-frame-ancestro-csp.sh
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+COMPLETE_FILE="/etc/nginx/tpl/frame-ancestors.ok"
+if [ -d "$(dirname "${COMPLETE_FILE}")" ]; then
+  if [ ! -f "${COMPLETE_FILE}" ]; then
+    touch "${COMPLETE_FILE}"
+    sed -i "s/frame-ancestors 'self'/frame-ancestors 'self' https:/" /etc/nginx/tpl/default.conf
+  fi
+fi
diff --git a/expose/api/docker/nginx/tpl/default.conf b/expose/api/docker/nginx/tpl/default.conf
index 3dd809aba..71367ec5a 100644
--- a/expose/api/docker/nginx/tpl/default.conf
+++ b/expose/api/docker/nginx/tpl/default.conf
@@ -9,7 +9,7 @@ server {
 
     add_header X-Robots-Tag "noindex, nofollow";
     add_header X-Content-Type-Options "nosniff";
-    add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}";
+    add_header Content-Security-Policy "frame-src 'self' ${DASHBOARD_CLIENT_URL}; frame-ancestors 'self'";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
     client_max_body_size $UPLOAD_MAX_FILE_SIZE;
diff --git a/infra/docker/nginx-client-base/tpl/default.conf b/infra/docker/nginx-client-base/tpl/default.conf
index 5a004e577..8d6a70d85 100644
--- a/infra/docker/nginx-client-base/tpl/default.conf
+++ b/infra/docker/nginx-client-base/tpl/default.conf
@@ -3,7 +3,7 @@ server {
 
     add_header X-Robots-Tag "noindex, nofollow";
     add_header X-Content-Type-Options "nosniff";
-    add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}";
+    add_header Content-Security-Policy "frame-src 'self' ${DASHBOARD_CLIENT_URL}; frame-ancestors 'self'";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
     root /var/app;