homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Only allow iframes to be loaded from our domain

Browse source
This commit is contained in:
Manuel Zapf 2021-02-18 14:54:03 +01:00 committed by GitHub
parent 911c439858
commit bae28c5f57
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 78 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

7
pkg/api/dashboard.go
View file

@ -33,6 +33,13 @@ func (g DashboardHandler) Append(router *mux.Router) {
Handler(http.StripPrefix("/dashboard/", http.FileServer(g.Assets)))
}
func (g DashboardHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
// allow iframes from our domains only
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src
w.Header().Set("Content-Security-Policy", "frame-src 'self' https://traefik.io https://*.traefik.io;")
http.FileServer(g.Assets).ServeHTTP(w, r)
}
func safePrefix(req *http.Request) string {
prefix := req.Header.Get("X-Forwarded-Prefix")
if prefix == "" {