renge/element-web: Fix frame-ancestors CSP

Something changed in how Firefox interprets the CSP, which made loading
element web fail.
This commit is contained in:
Simon Bruder 2024-08-08 21:26:14 +02:00
parent 08e30e01cf
commit 391234776a
Signed by: simon
GPG key ID: 347FF8699CDA0776

View file

@ -3,20 +3,7 @@
# SPDX-License-Identifier: AGPL-3.0-or-later
{ lib, pkgs, ... }:
let
# This uses
# https://github.com/vector-im/element-web#configuration-best-practices
# but allows to disable the frame-ancestors rule for /usercontent/.
mkSecurityHeaders = withFrameOptions: ''
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
'' + lib.optionalString withFrameOptions ''
add_header Content-Security-Policy "frame-ancestors 'none'";
'' + lib.optionalString (!withFrameOptions) ''
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
in
{
services.nginx.virtualHosts."chat.sbruder.de" = {
enableACME = true;
@ -24,8 +11,13 @@ in
root = pkgs.element-web;
extraConfig = mkSecurityHeaders true;
locations."/usercontent/".extraConfig = mkSecurityHeaders false;
# https://github.com/vector-im/element-web#configuration-best-practices
extraConfig = ''
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self'";
'';
# nixpkgss override mechanism doesnt allow overriding of all options
locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {