[v6.2] Fix CSP/X-Frame-Options headers

compose/seatable-server.yml

@@ -66,13 +66,13 @@ services:
         default-src 'none';
         style-src 'unsafe-inline' 'self' fonts.googleapis.com;
         script-src 'unsafe-inline' 'unsafe-eval' 'self';
-        script-src-elem 'unsafe-inline' 'self' ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} maps.googleapis.com unpkg.com;
+        script-src-elem 'unsafe-inline' 'self' ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} ${ONLYOFFICE_HOSTNAME:-} maps.googleapis.com unpkg.com;
         font-src 'self' data: unpkg.com ${SEATABLE_SERVER_HOSTNAME}:${TLDRAW_PORT:-6239} fonts.gstatic.com;
         img-src 'self' data: blob: https: market.seatable.io market.seatable.com mt0.google.com maps.googleapis.com maps.gstatic.com;
         media-src 'self';
-        form-action 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232};
+        form-action 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-};
         connect-src 'self' market.seatable.io market.seatable.com https: ws: blob: data:;
-        frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233};
+        frame-src 'self' ${SEATABLE_SERVER_HOSTNAME}:${COLLABORA_PORT:-6232} ${COLLABORA_HOSTNAME:-} ${SEATABLE_SERVER_HOSTNAME}:${ONLYOFFICE_PORT:-6233} ${ONLYOFFICE_HOSTNAME:-};
         frame-ancestors 'self';
         worker-src 'self' blob:;
         manifest-src 'self';
@@ -81,23 +81,19 @@ services:
         `"
       # Allow iframes for some directories
       caddy_0.route_0: /dtable/view-external-links/*
-      caddy_0.route_0.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_0.header.-Content-Security-Policy: ""
       caddy_0.route_1: /dtable/external-links/*
-      caddy_0.route_1.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_1.header.-Content-Security-Policy: ""
       caddy_0.route_2: /dtable/external-apps/*
-      caddy_0.route_2.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_2.header.-Content-Security-Policy: ""
       caddy_0.route_3: /dtable/forms/*
-      caddy_0.route_3.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_3.header.-Content-Security-Policy: ""
       caddy_0.route_4: /apps/custom/*
-      caddy_0.route_4.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_4.header.-Content-Security-Policy: ""
       caddy_0.route_5: /external-apps/*
-      caddy_0.route_5.header.X-Frame-Options: "ALLOWALL"
       caddy_0.route_5.header.-Content-Security-Policy: ""
+      caddy_0.route_6: /dtable/external-apps-edit/*
+      caddy_0.route_6.header.-Content-Security-Policy: ""
 
       caddy_1: ":80"
       caddy_1.@http.protocol: "http"