From c6575a6fcce03fe00984f37aaa3d26d05224f804 Mon Sep 17 00:00:00 2001
From: Arthur de Moulins <arthurdemoulins@gmail.com>
Date: Thu, 28 Nov 2024 11:01:48 +0100
Subject: [PATCH] PS-743 Move from X-Frame-Options to Content-Security-Policy:
 frame-ancestors

---
 expose/api/docker/nginx/entrypoint.sh                           | 2 +-
 expose/api/docker/nginx/tpl/default.conf                        | 2 +-
 infra/docker/nginx-client-base/Dockerfile                       | 1 +
 infra/docker/nginx-client-base/entrypoint.sh                    | 2 ++
 .../docker/nginx-client-base/{nginx/conf.d => tpl}/default.conf | 2 +-
 infra/docker/nginx-fpm-base/entrypoint.sh                       | 2 +-
 infra/docker/nginx-fpm-base/tpl/default.conf                    | 2 +-
 7 files changed, 8 insertions(+), 5 deletions(-)
 rename infra/docker/nginx-client-base/{nginx/conf.d => tpl}/default.conf (78%)

diff --git a/expose/api/docker/nginx/entrypoint.sh b/expose/api/docker/nginx/entrypoint.sh
index 9bf8e3a95..8bc512c3f 100755
--- a/expose/api/docker/nginx/entrypoint.sh
+++ b/expose/api/docker/nginx/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-envsubst '$UPLOAD_MAX_FILE_SIZE,$PS_SUBNET' < /etc/nginx/tpl/default.conf > /etc/nginx/conf.d/default.conf
+envsubst '${UPLOAD_MAX_FILE_SIZE},${PS_SUBNET},${DASHBOARD_CLIENT_URL}' < /etc/nginx/tpl/default.conf > /etc/nginx/conf.d/default.conf
 
 exec "$@"
diff --git a/expose/api/docker/nginx/tpl/default.conf b/expose/api/docker/nginx/tpl/default.conf
index 0c67304f7..3dd809aba 100644
--- a/expose/api/docker/nginx/tpl/default.conf
+++ b/expose/api/docker/nginx/tpl/default.conf
@@ -9,7 +9,7 @@ server {
 
     add_header X-Robots-Tag "noindex, nofollow";
     add_header X-Content-Type-Options "nosniff";
-    add_header X-Frame-Options "deny";
+    add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
     client_max_body_size $UPLOAD_MAX_FILE_SIZE;
diff --git a/infra/docker/nginx-client-base/Dockerfile b/infra/docker/nginx-client-base/Dockerfile
index 65cdba545..08fd73ac3 100644
--- a/infra/docker/nginx-client-base/Dockerfile
+++ b/infra/docker/nginx-client-base/Dockerfile
@@ -15,6 +15,7 @@ RUN apk update \
 
 COPY entrypoint.sh /entrypoint.sh
 COPY nginx/conf.d/* /etc/nginx/conf.d/
+COPY tpl /etc/nginx/tpl
 
 EXPOSE 80
 
diff --git a/infra/docker/nginx-client-base/entrypoint.sh b/infra/docker/nginx-client-base/entrypoint.sh
index 1579d0adf..deda04fbe 100755
--- a/infra/docker/nginx-client-base/entrypoint.sh
+++ b/infra/docker/nginx-client-base/entrypoint.sh
@@ -9,4 +9,6 @@ if [ -d /docker/entrypoint.d ]; then
   unset i
 fi
 
+envsubst '${DASHBOARD_CLIENT_URL}' < /etc/nginx/tpl/default.conf > /etc/nginx/conf.d/default.conf
+
 exec "$@"
diff --git a/infra/docker/nginx-client-base/nginx/conf.d/default.conf b/infra/docker/nginx-client-base/tpl/default.conf
similarity index 78%
rename from infra/docker/nginx-client-base/nginx/conf.d/default.conf
rename to infra/docker/nginx-client-base/tpl/default.conf
index aa3b2541f..5a004e577 100644
--- a/infra/docker/nginx-client-base/nginx/conf.d/default.conf
+++ b/infra/docker/nginx-client-base/tpl/default.conf
@@ -3,7 +3,7 @@ server {
 
     add_header X-Robots-Tag "noindex, nofollow";
     add_header X-Content-Type-Options "nosniff";
-    add_header X-Frame-Options "deny";
+    add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
     root /var/app;
diff --git a/infra/docker/nginx-fpm-base/entrypoint.sh b/infra/docker/nginx-fpm-base/entrypoint.sh
index 3525698d0..8e96af6c6 100755
--- a/infra/docker/nginx-fpm-base/entrypoint.sh
+++ b/infra/docker/nginx-fpm-base/entrypoint.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
 
-envsubst '${FPM_HOSTNAME} ${UPLOAD_MAX_FILE_SIZE}' < /etc/nginx/tpl/default.conf > /etc/nginx/conf.d/default.conf
+envsubst '${FPM_HOSTNAME},${UPLOAD_MAX_FILE_SIZE},${DASHBOARD_CLIENT_URL}' < /etc/nginx/tpl/default.conf > /etc/nginx/conf.d/default.conf
 
 exec "$@"
diff --git a/infra/docker/nginx-fpm-base/tpl/default.conf b/infra/docker/nginx-fpm-base/tpl/default.conf
index 508d724ba..5b4524736 100644
--- a/infra/docker/nginx-fpm-base/tpl/default.conf
+++ b/infra/docker/nginx-fpm-base/tpl/default.conf
@@ -7,7 +7,7 @@ server {
 
     add_header X-Robots-Tag "noindex, nofollow";
     add_header X-Content-Type-Options "nosniff";
-    add_header X-Frame-Options "deny";
+    add_header Content-Security-Policy "frame-ancestors 'self' ${DASHBOARD_CLIENT_URL}";
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
 
     location / {