Merge pull request #1 from orange-cloudfoundry/clickjacking_prevention

FernandezBenjamin · web-flow · commit dbdc2460a63c · 2023-07-25T15:34:10.000+02:00
Add frame ancestor configuration for web app to prevent clickjacking
diff --git a/cmd/dex/config.go b/cmd/dex/config.go
@@ -150,6 +150,7 @@ type Web struct {
 	TLSCert        string   `json:"tlsCert"`
 	TLSKey         string   `json:"tlsKey"`
 	AllowedOrigins []string `json:"allowedOrigins"`
+	FrameAncestors []string `json:"frameAncestors"`
 }
 
 // Telemetry is the config format for telemetry including the HTTP server config.
diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
@@ -253,6 +253,10 @@ func runServe(options serveOptions) error {
 		logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)
 	}
 
+	if len(c.Web.FrameAncestors) > 0 {
+		logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors)
+	}
+
 	// explicitly convert to UTC.
 	now := func() time.Time { return time.Now().UTC() }
 
diff --git a/server/server.go b/server/server.go
@@ -77,6 +77,11 @@ type Config struct {
 	// domain.
 	AllowedOrigins []string
 
+	// List of domain allowed to frame the content of the application.
+	// By default no one is accepted to prevent against clickjacking.
+	// Passing in "*" will allow any domain
+	FrameAncestors []string
+
 	// If enabled, the server won't prompt the user to approve authorization requests.
 	// Logging in implies approval.
 	SkipApprovalScreen bool
@@ -339,7 +344,28 @@ func newServer(ctx context.Context, c Config, rotationStrategy rotationStrategy)
 		}
 	}
 
+
+	// frame-ancestors middleware
+	frameAncestorsMidldleware := func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			var ancestors string
+			if len(c.FrameAncestors) > 0 {
+				for i := 0; i < len(c.FrameAncestors); i++ {
+					if c.FrameAncestors[i] == issuerURL.String() {
+						c.FrameAncestors[i] = "'self'"
+					}
+				}
+				ancestors = strings.Join(c.FrameAncestors, " ")
+			} else {
+				ancestors = "'none'"
+			}
+			w.Header().Set("Content-Security-Policy", "frame-ancestors "+ancestors)
+			next.ServeHTTP(w, r)
+		})
+	}
+
 	r := mux.NewRouter().SkipClean(true).UseEncodedPath()
+	r.Use(frameAncestorsMidldleware)
 	handle := func(p string, h http.Handler) {
 		r.Handle(path.Join(issuerURL.Path, p), instrumentHandlerCounter(p, h))
 	}

Original file line number	Diff line number	Diff line change
`@@ -150,6 +150,7 @@ type Web struct {`
`150`	`150`	TLSCert string `json:"tlsCert"`
`151`	`151`	TLSKey string `json:"tlsKey"`
`152`	`152`	AllowedOrigins []string `json:"allowedOrigins"`
	`153`	+ FrameAncestors []string `json:"frameAncestors"`
`153`	`154`	`}`
`154`	`155`
`155`	`156`	`// Telemetry is the config format for telemetry including the HTTP server config.`
Original file line number	Diff line number	Diff line change
`@@ -253,6 +253,10 @@ func runServe(options serveOptions) error {`
`253`	`253`	`logger.Infof("config allowed origins: %s", c.Web.AllowedOrigins)`
`254`	`254`	`}`
`255`	`255`
	`256`	`+ if len(c.Web.FrameAncestors) > 0 {`
	`257`	`+ logger.Infof("config allowed frame ancestors: %s", c.Web.FrameAncestors)`
	`258`	`+ }`
	`259`	`+`
`256`	`260`	`// explicitly convert to UTC.`
`257`	`261`	`now := func() time.Time { return time.Now().UTC() }`
`258`	`262`