Add frame ancestor configuration for web app to prevent clickjacking

orange-cloudfoundry · Jul 18, 2023 · ee39467 · ee39467
1 parent bfa6d61
commit ee39467
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 0 deletions.
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
@@ -150,6 +150,7 @@ type Web struct {
 	TLSCert        string   `json:"tlsCert"`
 	TLSKey         string   `json:"tlsKey"`
 	AllowedOrigins []string `json:"allowedOrigins"`
+	FrameAncestors []string `json:"frameAncestors"`
 }
 
 // Telemetry is the config format for telemetry including the HTTP server config.

diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
@@ -253,6 +253,10 @@ func runServe(options serveOptions) error {
 		logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
 	}
 
+	if len(c.Web.FrameAncestors) > 0 {
+		logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors)
+	}
+
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }
 

diff --git a/server/server.go b/server/server.go
@@ -77,6 +77,11 @@ type Config struct {
 	// domain.
 	AllowedOrigins []string
 
+	// List of domain allowed to frame the content of the application.
+	// By default no one is accepted to prevent against clickjacking.
+	// Passing in "*" will allow any domain
+	FrameAncestors []string
+
 	// If enabled, the server won't prompt the user to approve authorization requests.
 	// Logging in implies approval.
 	SkipApprovalScreen bool
@@ -339,7 +344,28 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		}
 	}
 
+
+	// frame-ancestors middleware
+	frameAncestorsMidldleware := func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			var ancestors string
+			if len(c.FrameAncestors) > 0 {
+				for i := 0; i < len(c.FrameAncestors); i++ {
+					if c.FrameAncestors[i] == issuerURL.String() {
+						c.FrameAncestors[i] = "'self'"
+					}
+				}
+				ancestors = strings.Join(c.FrameAncestors, " ")
+			} else {
+				ancestors = "'none'"
+			}
+			w.Header().Set("Content-Security-Policy", "frame-ancestors "+ancestors)
+			next.ServeHTTP(w, r)
+		})
+	}
+
 	r := mux.NewRouter().SkipClean(true).UseEncodedPath()
+	r.Use(frameAncestorsMidldleware)
 	handle := func(p string, h http.Handler) {
 		r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
 	}