Skip to content

feat: allow iframing urls on the same domain as the deployment #18102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 4 commits into from
May 29, 2025
Merged

feat: allow iframing urls on the same domain as the deployment #18102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
edb2314
feat: allow iframing urls on the same domain as the deployment
Emyrk May 29, 2025
648c707
chore: toggle with experiment
Emyrk May 29, 2025
b3ac3ee
fixup test
Emyrk May 29, 2025
95f3b61
also add frame-src
Emyrk May 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 13 additions & 11 deletions coderd/coderd.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1532,17 +1532,19 @@ func New(options *Options) *API {

// Add CSP headers to all static assets and pages. CSP headers only affect
// browsers, so these don't make sense on api routes.
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)
cspMW := httpmw.CSPHeaders(
api.Experiments,
options.Telemetry.Enabled(), func() []string {
if api.DeploymentValues.Dangerous.AllowAllCors {
// In this mode, allow all external requests
return []string{"*"}
}
if f := api.WorkspaceProxyHostsFn.Load(); f != nil {
return (*f)()
}
// By default we do not add extra websocket connections to the CSP
return []string{}
}, additionalCSPHeaders)

// Static file handler must be wrapped with HSTS handler if the
// StrictTransportSecurityAge is set. We only need to set this header on
Expand Down
15 changes: 13 additions & 2 deletions coderd/httpmw/csp.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ import (
"fmt"
"net/http"
"strings"

"github.com/coder/coder/v2/codersdk"
)

// cspDirectives is a map of all csp fetch directives to their values.
Expand Down Expand Up @@ -37,6 +39,7 @@ const (
CSPDirectiveFormAction CSPFetchDirective = "form-action"
CSPDirectiveMediaSrc CSPFetchDirective = "media-src"
CSPFrameAncestors CSPFetchDirective = "frame-ancestors"
CSPFrameSource CSPFetchDirective = "frame-src"
CSPDirectiveWorkerSrc CSPFetchDirective = "worker-src"
)

Expand All @@ -55,7 +58,7 @@ const (
// Example: https://github.com/coder/coder/issues/15118
//
//nolint:revive
func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
func CSPHeaders(experiments codersdk.Experiments, telemetry bool, websocketHosts func() []string, staticAdditions map[CSPFetchDirective][]string) func(next http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Content-Security-Policy disables loading certain content types and can prevent XSS injections.
Expand Down Expand Up @@ -88,13 +91,21 @@ func CSPHeaders(telemetry bool, websocketHosts func() []string, staticAdditions
CSPDirectiveMediaSrc: {"'self'"},
// Report all violations back to the server to log
CSPDirectiveReportURI: {"/api/v2/csp/reports"},
CSPFrameAncestors: {"'none'"},

// Only scripts can manipulate the dom. This prevents someone from
// naming themselves something like '<svg onload="alert(/cross-site-scripting/)" />'.
// "require-trusted-types-for" : []string{"'script'"},
}

if experiments.Enabled(codersdk.ExperimentAITasks) {
// AI tasks use iframe embeds of local apps.
// TODO: Handle region domains too, not just path based apps
cspSrcs.Append(CSPFrameAncestors, `'self'`)
cspSrcs.Append(CSPFrameSource, `'self'`)
} else {
cspSrcs.Append(CSPFrameAncestors, `'none'`)
}

if telemetry {
// If telemetry is enabled, we report to coder.com.
cspSrcs.Append(CSPDirectiveConnectSrc, "https://coder.com")
Expand Down
3 changes: 2 additions & 1 deletion coderd/httpmw/csp_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/stretchr/testify/require"

"github.com/coder/coder/v2/coderd/httpmw"
"github.com/coder/coder/v2/codersdk"
)

func TestCSPConnect(t *testing.T) {
Expand All @@ -20,7 +21,7 @@ func TestCSPConnect(t *testing.T) {
r := httptest.NewRequest(http.MethodGet, "/", nil)
rw := httptest.NewRecorder()

httpmw.CSPHeaders(false, func() []string {
httpmw.CSPHeaders(codersdk.Experiments{}, false, func() []string {
return expected
}, map[httpmw.CSPFetchDirective][]string{
httpmw.CSPDirectiveMediaSrc: expectedMedia,
Expand Down
Loading