renge/element-web: Fix frame-ancestors CSP
Something changed in how Firefox interprets the CSP, which made loading element web fail.
This commit is contained in:
parent
08e30e01cf
commit
391234776a
|
@ -3,20 +3,7 @@
|
||||||
# SPDX-License-Identifier: AGPL-3.0-or-later
|
# SPDX-License-Identifier: AGPL-3.0-or-later
|
||||||
|
|
||||||
{ lib, pkgs, ... }:
|
{ lib, pkgs, ... }:
|
||||||
let
|
|
||||||
# This uses
|
|
||||||
# https://github.com/vector-im/element-web#configuration-best-practices
|
|
||||||
# but allows to disable the frame-ancestors rule for /usercontent/.
|
|
||||||
mkSecurityHeaders = withFrameOptions: ''
|
|
||||||
add_header X-Content-Type-Options nosniff;
|
|
||||||
add_header X-Frame-Options SAMEORIGIN;
|
|
||||||
add_header X-XSS-Protection "1; mode=block";
|
|
||||||
'' + lib.optionalString withFrameOptions ''
|
|
||||||
add_header Content-Security-Policy "frame-ancestors 'none'";
|
|
||||||
'' + lib.optionalString (!withFrameOptions) ''
|
|
||||||
add_header Content-Security-Policy "frame-ancestors 'self'";
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
services.nginx.virtualHosts."chat.sbruder.de" = {
|
services.nginx.virtualHosts."chat.sbruder.de" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
|
@ -24,8 +11,13 @@ in
|
||||||
|
|
||||||
root = pkgs.element-web;
|
root = pkgs.element-web;
|
||||||
|
|
||||||
extraConfig = mkSecurityHeaders true;
|
# https://github.com/vector-im/element-web#configuration-best-practices
|
||||||
locations."/usercontent/".extraConfig = mkSecurityHeaders false;
|
extraConfig = ''
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Content-Security-Policy "frame-ancestors 'self'";
|
||||||
|
'';
|
||||||
|
|
||||||
# nixpkgs’s override mechanism doesn’t allow overriding of all options
|
# nixpkgs’s override mechanism doesn’t allow overriding of all options
|
||||||
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {
|
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {
|
||||||
|
|
Loading…
Reference in a new issue