diff --git a/server/common/config.go b/server/common/config.go index d7930e19..a38c0c43 100644 --- a/server/common/config.go +++ b/server/common/config.go @@ -92,6 +92,12 @@ func NewConfiguration() Configuration { FormElement{Name: "redirect", Type: "string", Placeholder: "redirection URL", Description: "When set, shared links will perform a redirection to another link. Example: https://example.com?full_path={{path}}"}, }, }, + Form{ + Title: "protection", + Elmnts: []FormElement{ + FormElement{Name: "iframe", Type: "text", Default: "", Description: "list of domains who can use the application from an iframe. eg: https://www.filestash.app http://example.com"}, + }, + }, }, }, Form{ diff --git a/server/ctrl/session.go b/server/ctrl/session.go index 89e6e47b..55e45fa7 100644 --- a/server/ctrl/session.go +++ b/server/ctrl/session.go @@ -102,7 +102,13 @@ func SessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Request) { MaxAge: 60 * Config.Get("general.cookie_timeout").Int(), Path: COOKIE_PATH, HttpOnly: true, - SameSite: http.SameSiteStrictMode, + Secure: true, + SameSite: func() http.SameSite { + if Config.Get("features.protection.iframe").String() != "" { + return http.SameSiteNoneMode + } + return http.SameSiteStrictMode + }(), }) if end == len(obfuscate) { break diff --git a/server/middleware/http.go b/server/middleware/http.go index bb989845..ec65df74 100644 --- a/server/middleware/http.go +++ b/server/middleware/http.go @@ -48,6 +48,12 @@ func IndexHeaders(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App cspHeader += "worker-src 'self' blob:; " cspHeader += "form-action 'self'; base-uri 'self'; " cspHeader += "frame-src 'self'; " + if ori := Config.Get("features.protection.iframe").String(); ori == "" { + cspHeader += "frame-ancestors 'none';" + header.Set("X-Frame-Options", "DENY") + } else { + cspHeader += fmt.Sprintf("frame-ancestors %s;", ori) + } header.Set("Content-Security-Policy", cspHeader) fn(ctx, res, req) }