From d38f787a42db0767e2217664018c4a2c2599cff0 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Fri, 4 Oct 2024 20:11:34 -0700 Subject: [PATCH] apache2: Allow popups to have different sandbox policy - Without this change when opening popups, Firefox throws the error 'Blocked Page' under certain conditions. - Complete a comment that was seemingly left unfinished. Tests: - With the changes installed with 'make build install', opening popups with works without 'Blocked page' error. Signed-off-by: Sunil Mohan Adapa Reviewed-by: Veiko Aasa --- data/etc/apache2/conf-available/freedombox.conf | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf index 95023151d..48fc827e3 100644 --- a/data/etc/apache2/conf-available/freedombox.conf +++ b/data/etc/apache2/conf-available/freedombox.conf @@ -72,15 +72,18 @@ RedirectMatch "^/$" "/plinth" ## Enable strict sandboxing enabled with some exceptions: ## - Allow running Javascript. ## - Allow popups as sometimes we use +## - Allow popups to have different sandbox requirements as we launch apps' web +## clients. ## - Allow forms to support configuration forms. -## - +## - Allow policies to treat same origin differently from other origins +## - Allow downloads such as backup tarballs. ## ## Disable browser guessing of MIME types. FreedoBox already sets good content ## types for all the common file types. ## Header set Referrer-Policy 'same-origin' - Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;" + Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-popups-to-escape-sandbox allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;" Header set X-Content-Type-Options 'nosniff'