wkloucek
commented
1 month ago This additional header probably originates here:
Closed wkloucek closed 1 month ago
wkloucek
commented
1 month ago This additional header probably originates here:
wkloucek
commented
1 month ago And what it actually does: it takes precedence over the frame-ancestors policy in the first header...
micbar
commented
1 month ago @kulmann @JammingBen
Escalating it to P2
jvillafanez
commented
1 month ago As far as I know, the CSP is fully handled by the proxy service (through the csp.yaml file), and no other service should try to set the CSP. The easiest solution is to remove that header from the web service and let the proxy service to handle it; we might need to document that the frame-ancestor 'self' (or a more relaxed) policy is required.
Alternatively, we could implement a way for any service to overwrite the CSP in the proxy service. In this case, the web service would require the proxy service to set, at least, the frame-ancestor 'self' policy. However, the solution seems complex and will require proper design. Note that setting the policy might be critical (service might not work properly if the policy isn't set), and we need to deal with communication errors between the services.
micbar
commented
1 month ago The easiest solution is to remove that header from the web service and let the proxy service to handle it;
Yes. That should do it for now.
jvillafanez
commented
1 month ago https://github.com/owncloud/ocis/pull/10146 should fix the double CSP header.
jvillafanez
commented
1 month ago PR merged. Closing.
Describe the bug
On the root path of oCIS, we get two
content-security-policyheaders. One has a staticframe-ancestors 'self'configSteps to reproduce
Expected behavior
Have one header
content-security-policyreflecting my oCIS csp configuration.Actual behavior
Further context
The second header seems to be statically set to
frame-ancestors 'self'and always there, even if I have a more sophisticated CSP config