Skip to content

feat: add csp headers for embedded apps #18374

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 17, 2025
Merged

feat: add csp headers for embedded apps #18374

merged 2 commits into from
Jun 17, 2025
+180 −57

Conversation

code-asher
Copy link
Member

I modified the proxy host cache we already had and were using for websocket csp headers to also include the wildcard app host, then used those for frame-src policies.

I did not add frame-ancestors, since if I understand correctly, those would go on the app, and this middleware does not come into play there. Maybe we will want to add it on workspace apps like we do with cors, if we find apps are setting it to none or something.

Closes coder/internal#684

code-asher
code-asher commented Jun 14, 2025
View reviewed changes
coderd/coderd.go Outdated
Comment on lines 1550 to 1555
proxies := []*proxyhealth.ProxyHost{
{
Host: api.AccessURL.Host,
AppHost: appurl.ConvertAppHostForCSP(api.AccessURL.String(), api.AppHostname),
},
}
Copy link
Member Author

@code-asher code-asher Jun 14, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tacked on the primary here, but we could instead add the primary as part of the WorkspaceProxyHostsFn function.

The current method here also includes the primary for AGPL, so if we do that we would also need to make some changes for the AGPL version (assuming wildcard apps and tasks even work with AGPL).

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

api.AppHostname can be "". We should probably handle empty string, and not add it to the csp header.

Copy link
Member Author

@code-asher code-asher Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ConvertAppHostForCSP uses the first argument if the second is "", so we end up adding the base host instead (my thinking here was that means we are using path-based apps, so the root domain is the app host).

Copy link
Member Author

@code-asher code-asher Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually I think my reasoning is incorrect because you can use both wildcard and path-based at the same time, right? Hmm...that means we always want to add the access URL? I guess self would cover that one already, but can you use path-based for the regions? Maybe I need to add both there.

Copy link
Member Author

@code-asher code-asher Jun 16, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also I need to use .Host instead of .String() since I think CSP does not like the protocol being in there, could have sworn I fixed that already.

Edit: wait no what am I talking about, apparently my brain is fried today, seems to work either way.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you can use both wildcard and path-based at the same time

You can, and self covers that. I actually do not know if we support path based on proxies 🤔

code-asher
code-asher commented Jun 14, 2025
View reviewed changes
@code-asher code-asher requested a review from Emyrk June 14, 2025 02:46
Emyrk
Emyrk reviewed Jun 16, 2025
View reviewed changes
Emyrk
Emyrk reviewed Jun 16, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall LGTM. Have you done any manual QA @code-asher ?

@code-asher
Copy link
Member Author

code-asher commented Jun 16, 2025
edited
Loading

Overall LGTM. Have you done any manual QA @code-asher ?

I checked that the primary's headers get added to workspace apps misspoke, I mean the dashboard but I have not tested multiple regions (no idea how to set that up) and I have not actually tested an iframe because for the life of me I cannot get the tasks stuff to work locally (also I would need a subdomain to properly test).

Definitely open to ideas on how I can more fully test. Maybe I need to make a proper deployment somewhere.

Emyrk
Emyrk approved these changes Jun 17, 2025
View reviewed changes
Copy link
Member

@Emyrk Emyrk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good on my local. We can confirm on dev.coder.

The unit tests look ok too 👍

This stuff is always annoying to test

@code-asher code-asher merged commit 82c14e0 into main Jun 17, 2025
34 checks passed
@code-asher code-asher deleted the asher/frame-src branch June 17, 2025 17:00
@github-actions github-actions bot locked and limited conversation to collaborators Jun 17, 2025
@code-asher
Copy link
Member Author

I tested regions on dev and the frames are embedding perfectly 😎

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Emyrk Emyrk Emyrk approved these changes

Assignees

@code-asher code-asher

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

tasks: allow embedding workspace apps in iframes
2 participants
@code-asher @Emyrk