From bd20daea284061f9d92af22d6c9beb138fffd76d Mon Sep 17 00:00:00 2001
From: Simon Bruder <simon@sbruder.de>
Date: Wed, 15 Sep 2021 07:30:14 +0200
Subject: [PATCH] vueko/element-web: Make PDF download work

---
 machines/vueko/services/element-web.nix | 24 ++++++++++++++++--------
 1 file changed, 16 insertions(+), 8 deletions(-)

diff --git a/machines/vueko/services/element-web.nix b/machines/vueko/services/element-web.nix
index 7581ce3..56ab4b1 100644
--- a/machines/vueko/services/element-web.nix
+++ b/machines/vueko/services/element-web.nix
@@ -1,5 +1,18 @@
 { lib, pkgs, ... }:
-
+let
+  # This uses
+  # https://github.com/vector-im/element-web#configuration-best-practices
+  # but allows to disable the frame-ancestors rule for /usercontent/.
+  mkSecurityHeaders = withFrameOptions: ''
+    add_header X-Content-Type-Options nosniff;
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-XSS-Protection "1; mode=block";
+  '' + lib.optionalString withFrameOptions ''
+    add_header Content-Security-Policy "frame-ancestors 'none'";
+  '' + lib.optionalString (!withFrameOptions) ''
+    add_header Content-Security-Policy "frame-ancestors 'self'";
+  '';
+in
 {
   services.nginx.virtualHosts."chat.sbruder.de" = {
     enableACME = true;
@@ -7,13 +20,8 @@
 
     root = pkgs.element-web;
 
-    extraConfig = ''
-      # https://github.com/vector-im/element-web#configuration-best-practices
-      add_header Content-Security-Policy "frame-ancestors 'none'";
-      add_header X-Content-Type-Options nosniff;
-      add_header X-Frame-Options SAMEORIGIN;
-      add_header X-XSS-Protection "1; mode=block";
-    '';
+    extraConfig = mkSecurityHeaders true;
+    locations."/usercontent/".extraConfig = mkSecurityHeaders false;
 
     # nixpkgs’s override mechanism doesn’t allow overriding of all options
     locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {