From 57ab6f667ceed2a55d019dfcad57c4c1542b3fbb Mon Sep 17 00:00:00 2001 From: Ralf Becker Date: Tue, 28 Jan 2020 18:19:40 +0100 Subject: [PATCH] adding CSP frame-ancestors 'self' policy to mitigate clickjacking --- api/src/Header/ContentSecurityPolicy.php | 2 ++ 1 file changed, 2 insertions(+) diff --git a/api/src/Header/ContentSecurityPolicy.php b/api/src/Header/ContentSecurityPolicy.php index 4ff82729b1..4622e39bb7 100644 --- a/api/src/Header/ContentSecurityPolicy.php +++ b/api/src/Header/ContentSecurityPolicy.php @@ -27,6 +27,7 @@ class ContentSecurityPolicy * - "style-src 'self' 'unsafe-inline'" allows only self and inline style, which we need * - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org * - "manifest-src 'self'" + * - "'"frame-ancestors 'self'" does not allow to frame (embed in frameset) other then self / clickjacking protection * - "media-src 'self' data:" * - "img-src 'self' data: https:" * - "default-src 'none'" disallows all not explicitly set sources @@ -39,6 +40,7 @@ class ContentSecurityPolicy 'connect-src' => null, // NOT array(), to allow setting no default connect-src! 'frame-src' => null, // NOT array(), to allow setting no default frame-src! 'manifest-src'=> ["'self'"], + 'frame-ancestors' => ["'self'"], // does not allow to frame (embed in frameset) other then self / clickjacking protection 'media-src' => ["data:"], 'img-src' => ["data:", "https:"], 'default-src' => ["'none'"], // disallows all not explicit set sources!