Allow frame embedding in Gitea

2021-07-20 15:58:06 +02:00 · 2021-07-20 15:58:06 +02:00 · 95c593c9eb
parent b498a9556a
commit 95c593c9eb
1 changed files with 2 additions and 6 deletions
--- a/modules/webstack.nix
+++ b/modules/webstack.nix
@ -24,16 +24,12 @@
      # Minimize information leaked to other domains
      add_header 'Referrer-Policy' 'origin-when-cross-origin';

-      # Disable embedding as a frame
-      add_header X-Frame-Options DENY;
+      # Disable embedding as a frame, except from the same origin
+      add_header Content-Security-Policy "frame-src git.coolneng.duckdns.org; frame-ancestors git.coolneng.duckdns.org";

      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;

-      # Enable XSS protection of the browser.
-      # May be unnecessary when CSP is configured properly (see above)
-      add_header X-XSS-Protection "1; mode=block";
-
      # This might create errors
      proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
    '';