nik/FreedomBox
1
0
Fork 0
mirror of https://github.com/freedombox/FreedomBox.git synced 2026-01-21 07:55:00 +00:00
Code Issues Packages Projects Releases Wiki Activity

apache2: Allow popups to have different sandbox policy

Browse Source 
- Without this change when opening popups, Firefox throws the error 'Blocked
Page' under certain conditions.

- Complete a comment that was seemingly left unfinished.

Tests:

- With the changes installed with 'make build install', opening popups with
<a target="_blank"></a> works without 'Blocked page' error.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Veiko Aasa <veiko17@disroot.org>
This commit is contained in:
Sunil Mohan Adapa 2024-10-04 20:11:34 -07:00 committed by Veiko Aasa
parent c35555a273
commit d38f787a42
No known key found for this signature in database
GPG Key ID: 478539CAE680674E
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
data/etc/apache2/conf-available/freedombox.conf
View File

@ -72,15 +72,18 @@ RedirectMatch "^/$" "/plinth"
## Enable strict sandboxing enabled with some exceptions:
## - Allow running Javascript.
## - Allow popups as sometimes we use <a target=_blank>
## - Allow popups to have different sandbox requirements as we launch apps' web
## clients.
## - Allow forms to support configuration forms.
## -
## - Allow policies to treat same origin differently from other origins
## - Allow downloads such as backup tarballs.
##
## Disable browser guessing of MIME types. FreedoBox already sets good content
## types for all the common file types.
##
<LocationMatch "^/(plinth|freedombox)">
Header set Referrer-Policy 'same-origin'
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
Header set X-Content-Type-Options 'nosniff'
</LocationMatch>