Dissociate frameguard from csp

author: Chocobozzz <me@florianbigard.com> 2021-04-12 15:33:54 +0200
committer: Chocobozzz <me@florianbigard.com> 2021-04-12 15:33:54 +0200
commit: 8155db669baff9aac5617a7aaf68dd35823ed7c9 (patch)
tree: 9a7575cd5d6bc9f4905d02c4a9aedd603ec2ec83
parent: c24822a8fdbc0647aa983fe7d784864ec3b9b854 (diff)
download: PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.gz
PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.zst
PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.zip
6 files changed, 55 insertions, 5 deletions
diff --git a/config/default.yaml b/config/default.yaml
index f9b6c50a3..281cc0577 100644
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -153,6 +153,11 @@ csp:
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
 tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: true
diff --git a/config/production.yaml.example b/config/production.yaml.example
index f2e75af32..fed6b45ca 100644
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -151,6 +151,11 @@ csp:
  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
  report_uri:
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
 tracker:
  # If you disable the tracker, you disable the P2P aspect of PeerTube
  enabled: true
diff --git a/server.ts b/server.ts
index f44202c9a..2531080a3 100644
--- a/server.ts
+++ b/server.ts
@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
 if (CONFIG.CSP.ENABLED) {
  app.use(baseCSP)
-  app.use(helmet({
+}
-    frameguard: {
-      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
+if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
-    },
+  app.use(helmet.frameguard({
-    hsts: false
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
  }))
 }
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index e92cc4d2c..2864b0287 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -17,6 +17,7 @@ function checkMissedConfig () {
    'log.level',
    'user.video_quota', 'user.video_quota_daily',
    'csp.enabled', 'csp.report_only', 'csp.report_uri',
+    'security.frameguard.enabled',
    'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
    'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
    'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 4e15acd0d..5281d3a66 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -134,6 +134,11 @@ const CONFIG = {
    REPORT_ONLY: config.get<boolean>('csp.report_only'),
    REPORT_URI: config.get<string>('csp.report_uri')
  },
+  SECURITY: {
+    FRAMEGUARD: {
+      ENABLED: config.get<boolean>('security.frameguard.enabled')
+    }
+  },
  TRACKER: {
    ENABLED: config.get<boolean>('tracker.enabled'),
    PRIVATE: config.get<boolean>('tracker.private'),
diff --git a/server/tests/api/server/config.ts b/server/tests/api/server/config.ts
index 0b0f48d22..1d9ea31df 100644
--- a/server/tests/api/server/config.ts
+++ b/server/tests/api/server/config.ts
@@ -12,6 +12,7 @@ import {
  getConfig,
  getCustomConfig,
  killallServers,
+  makeGetRequest,
  parallelTests,
  registerUser,
  reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
    checkInitialConfig(server, data)
  })
+  it('Should enable frameguard', async function () {
+    this.timeout(25000)
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+      expect(res.headers['x-frame-options']).to.exist
+    }
+    killallServers([ server ])
+    const config = {
+      security: {
+        frameguard: { enabled: false }
+      }
+    }
+    server = await reRunServer(server, config)
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+      expect(res.headers['x-frame-options']).to.not.exist
+    }
+  })
  after(async function () {
    await cleanupTests([ server ])
  })
author	Chocobozzz <me@florianbigard.com>	2021-04-12 15:33:54 +0200
committer	Chocobozzz <me@florianbigard.com>	2021-04-12 15:33:54 +0200
commit	8155db669baff9aac5617a7aaf68dd35823ed7c9 (patch)
tree	9a7575cd5d6bc9f4905d02c4a9aedd603ec2ec83
parent	c24822a8fdbc0647aa983fe7d784864ec3b9b854 (diff)
download	PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.gz PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.tar.zst PeerTube-8155db669baff9aac5617a7aaf68dd35823ed7c9.zip

diff --git a/config/default.yaml b/config/default.yaml index f9b6c50a3..281cc0577 100644 --- a/config/default.yaml +++ b/config/default.yaml
@@ -153,6 +153,11 @@ csp:
153	report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!	153	report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
154	report_uri:	154	report_uri:
155		155
		156	security:
		157	# Set the X-Frame-Options header to help to mitigate clickjacking attacks
		158	frameguard:
		159	enabled: true
		160
156	tracker:	161	tracker:
157	# If you disable the tracker, you disable the P2P aspect of PeerTube	162	# If you disable the tracker, you disable the P2P aspect of PeerTube
158	enabled: true	163	enabled: true


diff --git a/config/production.yaml.example b/config/production.yaml.example index f2e75af32..fed6b45ca 100644 --- a/config/production.yaml.example +++ b/config/production.yaml.example
@@ -151,6 +151,11 @@ csp:
151	report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!	151	report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
152	report_uri:	152	report_uri:
153		153
		154	security:
		155	# Set the X-Frame-Options header to help to mitigate clickjacking attacks
		156	frameguard:
		157	enabled: true
		158
154	tracker:	159	tracker:
155	# If you disable the tracker, you disable the P2P aspect of PeerTube	160	# If you disable the tracker, you disable the P2P aspect of PeerTube
156	enabled: true	161	enabled: true


diff --git a/server.ts b/server.ts index f44202c9a..2531080a3 100644 --- a/server.ts +++ b/server.ts
@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
59		59
60	if (CONFIG.CSP.ENABLED) {	60	if (CONFIG.CSP.ENABLED) {
61	app.use(baseCSP)	61	app.use(baseCSP)
62	app.use(helmet({	62	}
63	frameguard: {	63
64	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts	64	if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
65	},	65	app.use(helmet.frameguard({
66	hsts: false	66	action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
67	}))	67	}))
68	}	68	}
69		69


diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts index e92cc4d2c..2864b0287 100644 --- a/server/initializers/checker-before-init.ts +++ b/server/initializers/checker-before-init.ts
@@ -17,6 +17,7 @@ function checkMissedConfig () {
17	'log.level',	17	'log.level',
18	'user.video_quota', 'user.video_quota_daily',	18	'user.video_quota', 'user.video_quota_daily',
19	'csp.enabled', 'csp.report_only', 'csp.report_uri',	19	'csp.enabled', 'csp.report_only', 'csp.report_uri',
		20	'security.frameguard.enabled',
20	'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',	21	'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
21	'signup.enabled', 'signup.limit', 'signup.requires_email_verification',	22	'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
22	'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',	23	'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',


diff --git a/server/initializers/config.ts b/server/initializers/config.ts index 4e15acd0d..5281d3a66 100644 --- a/server/initializers/config.ts +++ b/server/initializers/config.ts
@@ -134,6 +134,11 @@ const CONFIG = {
134	REPORT_ONLY: config.get<boolean>('csp.report_only'),	134	REPORT_ONLY: config.get<boolean>('csp.report_only'),
135	REPORT_URI: config.get<string>('csp.report_uri')	135	REPORT_URI: config.get<string>('csp.report_uri')
136	},	136	},
		137	SECURITY: {
		138	FRAMEGUARD: {
		139	ENABLED: config.get<boolean>('security.frameguard.enabled')
		140	}
		141	},
137	TRACKER: {	142	TRACKER: {
138	ENABLED: config.get<boolean>('tracker.enabled'),	143	ENABLED: config.get<boolean>('tracker.enabled'),
139	PRIVATE: config.get<boolean>('tracker.private'),	144	PRIVATE: config.get<boolean>('tracker.private'),


diff --git a/server/tests/api/server/config.ts b/server/tests/api/server/config.ts index 0b0f48d22..1d9ea31df 100644 --- a/server/tests/api/server/config.ts +++ b/server/tests/api/server/config.ts
@@ -12,6 +12,7 @@ import {
12	getConfig,	12	getConfig,
13	getCustomConfig,	13	getCustomConfig,
14	killallServers,	14	killallServers,
		15	makeGetRequest,
15	parallelTests,	16	parallelTests,
16	registerUser,	17	registerUser,
17	reRunServer,	18	reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
508	checkInitialConfig(server, data)	509	checkInitialConfig(server, data)
509	})	510	})
510		511
		512	it('Should enable frameguard', async function () {
		513	this.timeout(25000)
		514
		515	{
		516	const res = await makeGetRequest({
		517	url: server.url,
		518	path: '/api/v1/config',
		519	statusCodeExpected: 200
		520	})
		521
		522	expect(res.headers['x-frame-options']).to.exist
		523	}
		524
		525	killallServers([ server ])
		526
		527	const config = {
		528	security: {
		529	frameguard: { enabled: false }
		530	}
		531	}
		532	server = await reRunServer(server, config)
		533
		534	{
		535	const res = await makeGetRequest({
		536	url: server.url,
		537	path: '/api/v1/config',
		538	statusCodeExpected: 200
		539	})
		540
		541	expect(res.headers['x-frame-options']).to.not.exist
		542	}
		543	})
		544
511	after(async function () {	545	after(async function () {
512	await cleanupTests([ server ])	546	await cleanupTests([ server ])
513	})	547	})