Use two different options when renderer in iframe

Author: lunny

custom/conf/app.example.ini

@@ -2177,8 +2177,11 @@ ROUTER = console
 ;; * sanitized: Sanitize the content and render it inside current page, default to only allow a few HTML tags and attributes. Customized sanitizer rules can be defined in [markup.sanitizer.*] .
 ;; * no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code.
 ;; * iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page.
-;; * iframe-allow-same-origin: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin enabled so don't use this except you know what it means.
 ;RENDER_CONTENT_MODE=sanitized
+;; when RENDER_CONTENT_MODE is iframe, below two items will be avaible
+;;
+;RENDER_CONTENT_IFRAME_SANDBOX=allow-scripts
+;RENDER_CONTENT_EXTERNAL_CSP=sandbox allow-scripts
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;

docs/content/doc/advanced/config-cheat-sheet.en-us.md

@@ -1030,6 +1030,8 @@ IS_INPUT_FILE = false
   - sanitized: Sanitize the content and render it inside current page, default to only allow a few HTML tags and attributes. Customized sanitizer rules can be defined in `[markup.sanitizer.*]`.
   - no-sanitizer: Disable the sanitizer and render the content inside current page. It's **insecure** and may lead to XSS attack if the content contains malicious code.
   - iframe: Render the content in a separate standalone page and embed it into current page by iframe. The iframe is in sandbox mode with same-origin disabled, and the JS code are safely isolated from parent page.
+- RENDER_CONTENT_IFRAME_SANDBOX: **allow-scripts** When `RENDER_CONTENT_MODE` is `iframe`, this will be the allowed sandbox of iframe properties.
+- RENDER_CONTENT_EXTERNAL_CSP: **sandbox allow-scripts** When `RENDER_CONTENT_MODE` is `iframe`, this will be the allowed CSP of external renderer response.
 
 Two special environment variables are passed to the render command:
 - `GITEA_PREFIX_SRC`, which contains the current URL prefix in the `src` path tree. To be used as prefix for links.

modules/markup/external/external.go

@@ -62,18 +62,22 @@ func (p *Renderer) SanitizerRules() []setting.MarkupSanitizerRule {
 // SanitizerDisabled disabled sanitize if return true
 func (p *Renderer) SanitizerDisabled() bool {
 	return p.RenderContentMode == setting.RenderContentModeNoSanitizer ||
-		p.RenderContentMode == setting.RenderContentModeIframe ||
-		p.RenderContentMode == setting.RenderContentModeIframeAllowSameOrigin
+		p.RenderContentMode == setting.RenderContentModeIframe
 }
 
 // DisplayInIFrame represents whether render the content with an iframe
 func (p *Renderer) DisplayInIFrame() bool {
 	return p.RenderContentMode == setting.RenderContentModeIframe
 }
 
-// AllowSameOrigin represents whether render allow same origin
-func (p *Renderer) AllowSameOrigin() bool {
-	return p.RenderContentMode == setting.RenderContentModeIframeAllowSameOrigin
+// IframeSandbox represents iframe sandbox
+func (p *Renderer) IframeSandbox() string {
+	return p.RenderContentIframeSandbox
+}
+
+// ExternalCSP represents external render CSP
+func (p *Renderer) ExternalCSP() string {
+	return p.RenderContentExternalCSP
 }
 
 func envMark(envName string) string {

modules/markup/renderer.go

@@ -106,8 +106,11 @@ type ExternalRenderer interface {
 	// DisplayInIFrame represents whether render the content with an iframe
 	DisplayInIFrame() bool
 
-	// AllowSameOrigin represents whether render allow same origin
-	AllowSameOrigin() bool
+	// IframeSandbox represents iframe sandbox allowed options
+	IframeSandbox() string
+
+	// ExternalCSP represents external render CSP
+	ExternalCSP() string
 }
 
 // RendererContentDetector detects if the content can be rendered
@@ -180,10 +183,10 @@ func Render(ctx *RenderContext, input io.Reader, output io.Writer) error {
 		return err
 	}
 
-	if r, ok := renderer.(ExternalRenderer); ok && (r.DisplayInIFrame() || r.AllowSameOrigin()) {
+	if r, ok := renderer.(ExternalRenderer); ok && r.DisplayInIFrame() {
 		// for an external render, it could only output its content in a standalone page
 		// otherwise, a <iframe> should be outputted to embed the external rendered page
-		return renderIFrame(ctx, output, r.AllowSameOrigin())
+		return renderIFrame(ctx, output, r.IframeSandbox())
 	}
 
 	return RenderDirect(ctx, renderer, input, output)
@@ -204,11 +207,7 @@ type nopCloser struct {
 
 func (nopCloser) Close() error { return nil }
 
-func renderIFrame(ctx *RenderContext, output io.Writer, allowSameOrigin bool) error {
-	var allowSameOriginStr string
-	if allowSameOrigin {
-		allowSameOriginStr = " allow-same-origin"
-	}
+func renderIFrame(ctx *RenderContext, output io.Writer, iframeSandbox string) error {
 	// set height="0" ahead, otherwise the scrollHeight would be max(150, realHeight)
 	// at the moment, only "allow-scripts" is allowed for sandbox mode.
 	// "allow-same-origin" should never be used, it leads to XSS attack, and it makes the JS in iframe can access parent window's config and CSRF token
@@ -218,14 +217,14 @@ func renderIFrame(ctx *RenderContext, output io.Writer, allowSameOrigin bool) er
 name="giteaExternalRender"
 onload="this.height=giteaExternalRender.document.documentElement.scrollHeight"
 width="100%%" height="0" scrolling="no" frameborder="0" style="overflow: hidden"
-sandbox="allow-scripts%s"
+sandbox="%s"
 ></iframe>`,
 		setting.AppSubURL,
 		url.PathEscape(ctx.Metas["user"]),
 		url.PathEscape(ctx.Metas["repo"]),
 		ctx.Metas["BranchNameSubURL"],
 		url.PathEscape(ctx.RelativePath),
-		allowSameOriginStr,
+		iframeSandbox,
 	))
 	return err
 }

modules/setting/markup.go

@@ -21,22 +21,23 @@ var (
 )
 
 const (
-	RenderContentModeSanitized             = "sanitized"
-	RenderContentModeNoSanitizer           = "no-sanitizer"
-	RenderContentModeIframe                = "iframe"
-	RenderContentModeIframeAllowSameOrigin = "iframe-allow-same-origin"
+	RenderContentModeSanitized   = "sanitized"
+	RenderContentModeNoSanitizer = "no-sanitizer"
+	RenderContentModeIframe      = "iframe"
 )
 
 // MarkupRenderer defines the external parser configured in ini
 type MarkupRenderer struct {
-	Enabled              bool
-	MarkupName           string
-	Command              string
-	FileExtensions       []string
-	IsInputFile          bool
-	NeedPostProcess      bool
-	MarkupSanitizerRules []MarkupSanitizerRule
-	RenderContentMode    string
+	Enabled                    bool
+	MarkupName                 string
+	Command                    string
+	FileExtensions             []string
+	IsInputFile                bool
+	NeedPostProcess            bool
+	MarkupSanitizerRules       []MarkupSanitizerRule
+	RenderContentMode          string
+	RenderContentIframeSandbox string // allow-scripts
+	RenderContentExternalCSP   string
 }
 
 // MarkupSanitizerRule defines the policy for whitelisting attributes on
@@ -159,21 +160,23 @@ func newMarkupRenderer(name string, sec *ini.Section) {
 	if !sec.HasKey("RENDER_CONTENT_MODE") && sec.Key("DISABLE_SANITIZER").MustBool(false) {
 		renderContentMode = RenderContentModeNoSanitizer // if only the legacy DISABLE_SANITIZER exists, use it
 	}
+
 	if renderContentMode != RenderContentModeSanitized &&
 		renderContentMode != RenderContentModeNoSanitizer &&
-		renderContentMode != RenderContentModeIframe &&
-		renderContentMode != RenderContentModeIframeAllowSameOrigin {
+		renderContentMode != RenderContentModeIframe {
 		log.Error("invalid RENDER_CONTENT_MODE: %q, default to %q", renderContentMode, RenderContentModeSanitized)
 		renderContentMode = RenderContentModeSanitized
 	}
 
 	ExternalMarkupRenderers = append(ExternalMarkupRenderers, &MarkupRenderer{
-		Enabled:           sec.Key("ENABLED").MustBool(false),
-		MarkupName:        name,
-		FileExtensions:    exts,
-		Command:           command,
-		IsInputFile:       sec.Key("IS_INPUT_FILE").MustBool(false),
-		NeedPostProcess:   sec.Key("NEED_POSTPROCESS").MustBool(true),
-		RenderContentMode: renderContentMode,
+		Enabled:                    sec.Key("ENABLED").MustBool(false),
+		MarkupName:                 name,
+		FileExtensions:             exts,
+		Command:                    command,
+		IsInputFile:                sec.Key("IS_INPUT_FILE").MustBool(false),
+		NeedPostProcess:            sec.Key("NEED_POSTPROCESS").MustBool(true),
+		RenderContentMode:          renderContentMode,
+		RenderContentIframeSandbox: sec.Key("RENDER_CONTENT_IFRAME_SANDBOX").MustString("allow-scripts"),
+		RenderContentExternalCSP:   sec.Key("RENDER_CONTENT_EXTERNAL_CSP").MustString("sandbox allow-scripts"),
 	})
 }

routers/web/repo/render.go

@@ -72,11 +72,11 @@ func RenderFile(ctx *context.Context) {
 		return
 	}
 
-	if r, ok := renderer.(markup.ExternalRenderer); ok && r.AllowSameOrigin() {
-		allowSameOriginStr = " allow-same-origin"
+	if r, ok := renderer.(markup.ExternalRenderer); ok {
+		allowSameOriginStr = r.ExternalCSP()
 	}
 
-	ctx.Resp.Header().Add("Content-Security-Policy", fmt.Sprintf("frame-src 'self'; sandbox%s allow-scripts", allowSameOriginStr))
+	ctx.Resp.Header().Add("Content-Security-Policy", fmt.Sprintf("frame-src 'self'; %s", allowSameOriginStr))
 
 	if err = markup.RenderDirect(&markup.RenderContext{
 		Ctx:          ctx,