[v6.2] Fix CSP/X-Frame-Options headers#80
Conversation
simonhammes
changed the title
X-Frame-Options headersX-Frame-Options headers
| caddy_0.route_5: /external-apps/* | ||
| caddy_0.route_5.header.X-Frame-Options: "ALLOWALL" | ||
| caddy_0.route_5.header.-Content-Security-Policy: "" |
There was a problem hiding this comment.
This completely removes the CSP header for all universal apps.
What was the initial purpose of this? Allow embedding apps and forms within other pages? The commit message of dbe7f6c suggests this.
We could do this through a frame-ancestors directive
There was a problem hiding this comment.
Completely disabling the CSP for a bunch of path prefixes seems like the wrong approach for this
We could do this through a frame-ancestors directive
However, this should probaly still be path-scoped to prevent unnecessary risk of clickjacking attacks.
Maybe strict SameSite settings for auth cookies are "enough" to defend against clickjacking attacks:
As an additional partial mitigation, sites should set the SameSite cookie attribute for session cookies to Lax or Strict. Requests from embedded contexts such as <iframe> elements that are not same-site with the top-level document will not include these cookies, and the server will therefore not treat the request as coming from a logged-in user.
This is required in order to preview AI-generated HTML pages
1 participant
ALLOWALLis not an allowed value for theX-Frame-Optionsheader