quickfix: add frame-ancestors csp policy (#3039)

ikreymer · SuaYoo · web-flow · commit 72e633240aff · 2025-12-02T11:39:23.000-08:00
- disallow external framing most of the app, except profile browsers for
debugging

---------

Co-authored-by: sua yoo &lt;sua@webrecorder.org&gt;
diff --git a/frontend/frontend.conf.template b/frontend/frontend.conf.template
@@ -39,6 +39,8 @@ server {
       root   /usr/share/nginx/html;
       index  index.html index.htm;
       try_files $uri /index.html;
+
+      add_header Content-Security-Policy "frame-ancestors 'self'";
     }
 
     location ~* /docs/(.*)$ {
@@ -148,6 +150,8 @@ server {
 
       proxy_pass http://browser-$browserid.browser$fqdn_suffix:9223/vnc/;
       proxy_set_header Host "localhost";
+
+      add_header Content-Security-Policy "frame-ancestors 'self' localhost:*";
     }
 
     location = /access_check_profiles {

Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ server {`
`39`	`39`	`root /usr/share/nginx/html;`
`40`	`40`	`index index.html index.htm;`
`41`	`41`	`try_files $uri /index.html;`
	`42`	`+`
	`43`	`+ add_header Content-Security-Policy "frame-ancestors 'self'";`
`42`	`44`	`}`
`43`	`45`
`44`	`46`	`location ~* /docs/(.*)$ {`
`@@ -148,6 +150,8 @@ server {`
`148`	`150`
`149`	`151`	`proxy_pass http://browser-$browserid.browser$fqdn_suffix:9223/vnc/;`
`150`	`152`	`proxy_set_header Host "localhost";`
	`153`	`+`
	`154`	`+ add_header Content-Security-Policy "frame-ancestors 'self' localhost:*";`
`151`	`155`	`}`
`152`	`156`
`153`	`157`	`location = /access_check_profiles {`