mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-04-15 09:51:21 +00:00
1cf0748a49
Closes: #2002. Entire FreedomBox UI is served within a sandbox that is originally meant for cross-site iframes. A newly introduced flag allow-downloads is required to trigger downloads. Two instances where this is used in FreedomBox is openvpn profiled download and backup download. Firefox 81 and Chrome 83 implement this flag. Add 'allow-downloads' to sandbox directives to fix this. References: - https://github.com/whatwg/html/pull/4293 - https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe - https://bugzilla.mozilla.org/show_bug.cgi?id=1558394 - https://www.chromestatus.com/feature/5706745674465280 Tests: - Check that OpenVPN profile can be downloaded. - Check that backups can be downloaded. - Check on Firefox 78 and Chromium 83. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Veiko Aasa <veiko17@disroot.org>
70 lines
2.8 KiB
Plaintext
70 lines
2.8 KiB
Plaintext
##
|
|
## Enable HSTS, even for subdomains.
|
|
##
|
|
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains" env=HTTPS
|
|
|
|
##
|
|
## Redirect traffic on home to /plinth as part of turning the machine
|
|
## into FreedomBox server. Plinth then acts as a portal to reach all
|
|
## other services.
|
|
##
|
|
RedirectMatch "^/$" "/plinth"
|
|
RedirectMatch "^/freedombox" "/plinth"
|
|
|
|
##
|
|
## Disable sending Referer (sic) header from FreedomBox web interface to
|
|
## external websites. This improves privacy by not disclosing FreedomBox
|
|
## domains/URLs to external domains. Apps such as blogs which want to popularize
|
|
## themselves with referrer header may still do so.
|
|
##
|
|
## A strict Content Security Policy.
|
|
## - @fonts are allowed only from FreedomBox itself.
|
|
## - <frame>/<iframe> sources are disabled.
|
|
## - <img> sources are allowed only from FreedomBox itself.
|
|
## - Manifest file is not allowed as there is none yet.
|
|
## - <audio>, <video>, <track> tags are not allowed yet.
|
|
## - <object>, <embed>, <applet> tags are not allowed yet.
|
|
## - Allow JS from FreedomBox itself (no inline and attribute scripts).
|
|
## - Allow inline CSS and CSS files from Freedombox itself.
|
|
## - Web worker sources are allowed only from FreedomBox itself (for JSXC).
|
|
## - All other fetch sources including Ajax are not allowed from FreedomBox
|
|
## itself.
|
|
## - <base> tag is not allowed.
|
|
## - No plugins types are alllowed since object-src is 'none'.
|
|
## - Form action should be to FreedomBox itself.
|
|
## - This interface may be not embedded in <frame>, <iframe>, etc. tags.
|
|
## - When serving HTTPS, don't allow HTTP assets.
|
|
##
|
|
## Enable strict sandboxing enabled with some exceptions:
|
|
## - Allow running Javascript.
|
|
## - Allow popups as sometimes we use <a target=_blank>
|
|
## - Allow forms to support configuration forms.
|
|
## -
|
|
##
|
|
## Disable browser guessing of MIME types. FreedoBox already sets good content
|
|
## types for all the common file types.
|
|
##
|
|
<Location /plinth>
|
|
Header set Referrer-Policy 'same-origin'
|
|
Header set Content-Security-Policy "font-src 'self'; frame-src 'none'; img-src 'self'; manifest-src 'none'; media-src 'none'; object-src 'none'; script-src 'self'; style-src 'self'; worker-src 'self'; default-src 'self'; base-uri 'none'; sandbox allow-scripts allow-popups allow-forms allow-same-origin allow-downloads; form-action 'self'; frame-ancestors 'none'; block-all-mixed-content;"
|
|
Header set X-Content-Type-Options 'nosniff'
|
|
</Location>
|
|
|
|
##
|
|
## Serve FreedomBox icon as /favicon.ico for apps that don't present their own
|
|
## icon using <link rel=''>.
|
|
##
|
|
<Location ~ ^/favicon\.ico$>
|
|
<IfModule mod_rewrite.c>
|
|
RewriteEngine On
|
|
RewriteRule /favicon\.ico$ "/plinth/static/theme/img/favicon.ico" [PT]
|
|
</IfModule>
|
|
</Location>
|
|
|
|
##
|
|
## Serve SVG files compressed using gzip.
|
|
##
|
|
<IfModule mod_deflate.c>
|
|
AddOutputFilterByType DEFLATE image/svg+xml
|
|
</IfModule>
|