From 8155db669baff9aac5617a7aaf68dd35823ed7c9 Mon Sep 17 00:00:00 2001
From: Chocobozzz <me@florianbigard.com>
Date: Mon, 12 Apr 2021 15:33:54 +0200
Subject: Dissociate frameguard from csp

---
 config/default.yaml                        |  5 +++++
 config/production.yaml.example             |  5 +++++
 server.ts                                  | 10 ++++-----
 server/initializers/checker-before-init.ts |  1 +
 server/initializers/config.ts              |  5 +++++
 server/tests/api/server/config.ts          | 34 ++++++++++++++++++++++++++++++
 6 files changed, 55 insertions(+), 5 deletions(-)

diff --git a/config/default.yaml b/config/default.yaml
index f9b6c50a3..281cc0577 100644
--- a/config/default.yaml
+++ b/config/default.yaml
@@ -153,6 +153,11 @@ csp:
   report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
   report_uri:
 
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
   # If you disable the tracker, you disable the P2P aspect of PeerTube
   enabled: true
diff --git a/config/production.yaml.example b/config/production.yaml.example
index f2e75af32..fed6b45ca 100644
--- a/config/production.yaml.example
+++ b/config/production.yaml.example
@@ -151,6 +151,11 @@ csp:
   report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
   report_uri:
 
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
 tracker:
   # If you disable the tracker, you disable the P2P aspect of PeerTube
   enabled: true
diff --git a/server.ts b/server.ts
index f44202c9a..2531080a3 100644
--- a/server.ts
+++ b/server.ts
@@ -59,11 +59,11 @@ import { baseCSP } from './server/middlewares/csp'
 
 if (CONFIG.CSP.ENABLED) {
   app.use(baseCSP)
-  app.use(helmet({
-    frameguard: {
-      action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
-    },
-    hsts: false
+}
+
+if (CONFIG.SECURITY.FRAMEGUARD.ENABLED) {
+  app.use(helmet.frameguard({
+    action: 'deny' // we only allow it for /videos/embed, see server/controllers/client.ts
   }))
 }
 
diff --git a/server/initializers/checker-before-init.ts b/server/initializers/checker-before-init.ts
index e92cc4d2c..2864b0287 100644
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@@ -17,6 +17,7 @@ function checkMissedConfig () {
     'log.level',
     'user.video_quota', 'user.video_quota_daily',
     'csp.enabled', 'csp.report_only', 'csp.report_uri',
+    'security.frameguard.enabled',
     'cache.previews.size', 'cache.captions.size', 'cache.torrents.size', 'admin.email', 'contact_form.enabled',
     'signup.enabled', 'signup.limit', 'signup.requires_email_verification',
     'signup.filters.cidr.whitelist', 'signup.filters.cidr.blacklist',
diff --git a/server/initializers/config.ts b/server/initializers/config.ts
index 4e15acd0d..5281d3a66 100644
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@@ -134,6 +134,11 @@ const CONFIG = {
     REPORT_ONLY: config.get<boolean>('csp.report_only'),
     REPORT_URI: config.get<string>('csp.report_uri')
   },
+  SECURITY: {
+    FRAMEGUARD: {
+      ENABLED: config.get<boolean>('security.frameguard.enabled')
+    }
+  },
   TRACKER: {
     ENABLED: config.get<boolean>('tracker.enabled'),
     PRIVATE: config.get<boolean>('tracker.private'),
diff --git a/server/tests/api/server/config.ts b/server/tests/api/server/config.ts
index 0b0f48d22..1d9ea31df 100644
--- a/server/tests/api/server/config.ts
+++ b/server/tests/api/server/config.ts
@@ -12,6 +12,7 @@ import {
   getConfig,
   getCustomConfig,
   killallServers,
+  makeGetRequest,
   parallelTests,
   registerUser,
   reRunServer,
@@ -508,6 +509,39 @@ describe('Test config', function () {
     checkInitialConfig(server, data)
   })
 
+  it('Should enable frameguard', async function () {
+    this.timeout(25000)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.exist
+    }
+
+    killallServers([ server ])
+
+    const config = {
+      security: {
+        frameguard: { enabled: false }
+      }
+    }
+    server = await reRunServer(server, config)
+
+    {
+      const res = await makeGetRequest({
+        url: server.url,
+        path: '/api/v1/config',
+        statusCodeExpected: 200
+      })
+
+      expect(res.headers['x-frame-options']).to.not.exist
+    }
+  })
+
   after(async function () {
     await cleanupTests([ server ])
   })
-- 
cgit v1.2.3