From 391234776a9541ad366ba1048df9e3f211d9d737 Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 8 Aug 2024 21:26:14 +0200 Subject: [PATCH] renge/element-web: Fix frame-ancestors CSP Something changed in how Firefox interprets the CSP, which made loading element web fail. --- machines/renge/services/element-web.nix | 24 ++++++++---------------- 1 file changed, 8 insertions(+), 16 deletions(-) diff --git a/machines/renge/services/element-web.nix b/machines/renge/services/element-web.nix index 9cce0c4..5119a62 100644 --- a/machines/renge/services/element-web.nix +++ b/machines/renge/services/element-web.nix @@ -3,20 +3,7 @@ # SPDX-License-Identifier: AGPL-3.0-or-later { lib, pkgs, ... }: -let - # This uses - # https://github.com/vector-im/element-web#configuration-best-practices - # but allows to disable the frame-ancestors rule for /usercontent/. - mkSecurityHeaders = withFrameOptions: '' - add_header X-Content-Type-Options nosniff; - add_header X-Frame-Options SAMEORIGIN; - add_header X-XSS-Protection "1; mode=block"; - '' + lib.optionalString withFrameOptions '' - add_header Content-Security-Policy "frame-ancestors 'none'"; - '' + lib.optionalString (!withFrameOptions) '' - add_header Content-Security-Policy "frame-ancestors 'self'"; - ''; -in + { services.nginx.virtualHosts."chat.sbruder.de" = { enableACME = true; @@ -24,8 +11,13 @@ in root = pkgs.element-web; - extraConfig = mkSecurityHeaders true; - locations."/usercontent/".extraConfig = mkSecurityHeaders false; + # https://github.com/vector-im/element-web#configuration-best-practices + extraConfig = '' + add_header X-Content-Type-Options nosniff; + add_header X-Frame-Options SAMEORIGIN; + add_header X-XSS-Protection "1; mode=block"; + add_header Content-Security-Policy "frame-ancestors 'self'"; + ''; # nixpkgs’s override mechanism doesn’t allow overriding of all options locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {