apache: Set CSP and other common security headers

Tests performed: - Fonts Lato is properly and displayed. - No <frame>, <iframe>, <video>, <audio>, <track>, <embed>, <object>, <applet> tags are used in FreedomBox source code. - Checked that there are no images referring to external URLs. Most of the common images such as apps lists, system list, networks and manual show images properly. - Styles specified in main.css work as well as page specific styles such as in networks. Firefox developer console shows inline styles loaded. - JSXC is able to make XHR requests to ejabberd. - Able to launch <a> links with _target='blank' such as in /help/support/. - When visiting external websites, such as in donate page, Referer header is not sent. When visiting page within FreedomBox interface, Referer header is sent with path. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Veiko Aasa <veiko17@disroot.org>
2026-01-21 07:55:00 +00:00 · 2020-06-27 17:21:56 -07:00 · 2020-06-27 17:21:56 -07:00 · 110ec7d744
commit 110ec7d744
parent c865a1cd89
1 changed files with 39 additions and 0 deletions
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@ -11,6 +11,45 @@ Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=H
 RedirectMatch "^/$" "/plinth"
 RedirectMatch "^/freedombox" "/plinth"

+##
+## Disable sending Referer (sic) header from FreedomBox web interface to
+## external websites. This improves privacy by not disclosing FreedomBox
+## domains/URLs to external domains. Apps such as blogs which want to popularize
+## themselves with referrer header may still do so.
+##
+## A strict Content Security Policy.
+## - @fonts are allowed only from FreedomBox itself.
+## - <frame>/<iframe> sources are disabled.
+## - <img> sources are allowed only from FreedomBox itself.
+## - Manifest file is not allowed as there is none yet.
+## - <audio>, <video>, <track> tags are not allowed yet.
+## - <object>, <embed>, <applet> tags are not allowed yet.
+## - Allow JS from FreedomBox itself (no inline and attribute scripts).
+## - Allow inline CSS and CSS files from Freedombox itself.
+## - Web worker sources are disabled.
+## - All other fetch sources including Ajax are not allowed from FreedomBox
+##   itself.
+## - <base> tag is not allowed.
+## - No plugins types are alllowed since object-src is 'none'.
+## - Form action should be to FreedomBox itself.
+## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
+## - When serving HTTPS, don't allow HTTP assets.
+##
+## Enable strict sandboxing enabled with some exceptions:
+## - Allow running Javascript.
+## - Allow popups as sometimes we use <a target=_blank>
+## - Allow forms to support configuration forms.
+## -
+##
+## Disable browser guessing of MIME types. FreedoBox already sets good content
+## types for all the common file types.
+##
+<Location /plinth>
+    Header set Referrer-Policy 'same-origin'
+    Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; worker-src 'none'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
+    Header set X-Content-Type-Options 'nosniff'
+</Location>
+
 ##
 ## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
 ## icon using <link rel=''>.