fix (#469): allow cross domain iframe

server/common/config.go

@@ -92,6 +92,12 @@ func NewConfiguration() Configuration {
 							FormElement{Name: "redirect", Type: "string", Placeholder: "redirection URL", Description: "When set, shared links will perform a redirection to another link. Example: https://example.com?full_path={{path}}"},
 						},
 					},
+					Form{
+						Title: "protection",
+						Elmnts: []FormElement{
+							FormElement{Name: "iframe", Type: "text", Default: "", Description: "list of domains who can use the application from an iframe. eg: https://www.filestash.app http://example.com"},
+						},
+					},
 				},
 			},
 			Form{

server/ctrl/session.go

@@ -102,7 +102,13 @@ func SessionAuthenticate(ctx App, res http.ResponseWriter, req *http.Request) {
 			MaxAge:   60 * Config.Get("general.cookie_timeout").Int(),
 			Path:     COOKIE_PATH,
 			HttpOnly: true,
-			SameSite: http.SameSiteStrictMode,
+			Secure:   true,
+			SameSite: func() http.SameSite {
+				if Config.Get("features.protection.iframe").String() != "" {
+					return http.SameSiteNoneMode
+				}
+				return http.SameSiteStrictMode
+			}(),
 		})
 		if end == len(obfuscate) {
 			break

server/middleware/http.go

@@ -48,6 +48,12 @@ func IndexHeaders(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App
 		cspHeader += "worker-src 'self' blob:; "
 		cspHeader += "form-action 'self'; base-uri 'self'; "
 		cspHeader += "frame-src 'self'; "
+		if ori := Config.Get("features.protection.iframe").String(); ori == "" {
+			cspHeader += "frame-ancestors 'none';"
+			header.Set("X-Frame-Options", "DENY")
+		} else {
+			cspHeader += fmt.Sprintf("frame-ancestors %s;", ori)
+		}
 		header.Set("Content-Security-Policy", cspHeader)
 		fn(ctx, res, req)
 	}