This is an automated email from the ASF dual-hosted git repository. jan pushed a commit to branch fix/fauxton-news-csp in repository https://gitbox.apache.org/repos/asf/couchdb.git
commit e3766ff7d582b31c988decf81ce1dc673f9d2671 Author: Jan Lehnardt <[email protected]> AuthorDate: Tue Apr 8 14:18:09 2025 +0200 fix: Add blog.couchdb.org to frame-src CSP header to fix Fauxton News --- rel/overlay/etc/default.ini | 2 +- src/chttpd/src/chttpd_misc.erl | 2 +- src/docs/src/config/misc.rst | 4 +++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/rel/overlay/etc/default.ini b/rel/overlay/etc/default.ini index 5547b1458..b7229d5e4 100644 --- a/rel/overlay/etc/default.ini +++ b/rel/overlay/etc/default.ini @@ -444,7 +444,7 @@ authentication_db = _users ; CSP (Content Security Policy) Support [csp] ;utils_enable = true -;utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; +;utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src https://blog.couchdb.org; ;attachments_enable = true ;attachments_header_value = sandbox ;showlist_enable = true diff --git a/src/chttpd/src/chttpd_misc.erl b/src/chttpd/src/chttpd_misc.erl index 888111a64..d0bf363f3 100644 --- a/src/chttpd/src/chttpd_misc.erl +++ b/src/chttpd/src/chttpd_misc.erl @@ -101,7 +101,7 @@ handle_utils_dir_req(#httpd{method = 'GET'} = Req, DocumentRoot) -> CachingHeaders = [{"Cache-Control", "private, must-revalidate"}], DefaultValues = "child-src 'self' data: blob:; default-src 'self'; img-src 'self' data:; font-src 'self'; " - "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';", + "script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src https://blog.couchdb.org;";, Headers = chttpd_util:maybe_add_csp_header("utils", CachingHeaders, DefaultValues), chttpd:serve_file(Req, RelativePath, DocumentRoot, Headers); {_ActionKey, "", _RelativePath} -> diff --git a/src/docs/src/config/misc.rst b/src/docs/src/config/misc.rst index 5c76d2a6c..ff4619753 100644 --- a/src/docs/src/config/misc.rst +++ b/src/docs/src/config/misc.rst @@ -235,7 +235,9 @@ Content-Security-Policy Specifies the exact header value to send. Defaults to:: [csp] - utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; + utils_header_value = default-src 'self'; img-src 'self'; font-src *; script-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; frame-src https://blog.couchdb.org; + + ``blog.couchdb.org`` exists to cover the optional Fauxton News page. .. config:option:: attachments_enable :: Enable CSP-Header (attachments)
