maintenance (iframe): content security policy update

server/common/config.go

@@ -617,6 +617,10 @@ func PerformMigration() (err error) {
 			Log.Stdout("BOOT Migration error: hide_menubar")
 			return err
 		}
+		if jsonStr, err = sjson.Delete(jsonStr, "features.protection.iframe"); err != nil {
+			Log.Stdout("BOOT Migration error: features.protection.iframe")
+			return err
+		}
 		if err = saveConfig(schemaVersion+1, jsonStr); err != nil {
 			Log.Stdout("BOOT Couldn't save config")
 			return err

server/middleware/http.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	. "github.com/mickael-kerjean/filestash/server/common"
 	"net/http"
-	"os"
 	"path/filepath"
 )
 
@@ -59,25 +58,6 @@ func IndexHeaders(fn func(App, http.ResponseWriter, *http.Request)) func(ctx App
 		cspHeader += "worker-src 'self' blob:; "
 		cspHeader += "form-action 'self'; base-uri 'self'; "
 		cspHeader += "frame-src 'self'; "
-		if allowedDomainsForIframe := Config.Get("features.protection.iframe").Schema(func(f *FormElement) *FormElement {
-			if f == nil {
-				f = &FormElement{}
-			}
-			f.Default = ""
-			f.Placeholder = "Default: disabled"
-			if envValue := os.Getenv("FEATURES_IFRAME_PROTECTION"); envValue != "" {
-				f.Default = envValue
-				f.Placeholder = "Default: " + envValue
-			}
-
-			f.Name = "iframe"
-			f.Type = "text"
-			f.Target = []string{}
-			f.Description = "The frame-ancestors's value as part of the Content Security Policy header. Use with caution, this setting can make you vulnerable to clicjacking security issues."
-			return f
-		}).String(); allowedDomainsForIframe != "" {
-			cspHeader += "frame-ancestors " + allowedDomainsForIframe
-		}
 		header.Set("Content-Security-Policy", cspHeader)
 		fn(ctx, res, req)
 	}