diff options
| -rw-r--r-- | Dockerfile | 5 | ||||
| -rw-r--r-- | docker-compose.yml | 6 | ||||
| -rw-r--r-- | sandstorm-pkgdef.capnp | 2 | ||||
| -rw-r--r-- | server/policy.js | 24 | ||||
| -rwxr-xr-x | snap-src/bin/config | 12 | ||||
| -rwxr-xr-x | snap-src/bin/wekan-help | 15 |
6 files changed, 62 insertions, 2 deletions
@@ -15,6 +15,8 @@ ARG MATOMO_ADDRESS ARG MATOMO_SITE_ID ARG MATOMO_DO_NOT_TRACK ARG MATOMO_WITH_USERNAME +ARG BROWSER_POLICY_ENABLED +ARG TRUSTED_URL # Set the environment variables (defaults where required) # DOES NOT WORK: paxctl fix for alpine linux: https://github.com/wekan/wekan/issues/1303 @@ -33,7 +35,8 @@ ENV MATOMO_ADDRESS ${MATOMO_ADDRESS:-} ENV MATOMO_SITE_ID ${MATOMO_SITE_ID:-} ENV MATOMO_DO_NOT_TRACK ${MATOMO_DO_NOT_TRACK:-false} ENV MATOMO_WITH_USERNAME ${MATOMO_WITH_USERNAME:-true} - +ENV BROWSER_POLICY_ENABLED ${BROWSER_POLICY_ENABLED:-true} +ENV TRUSTED_URL ${TRUSTED_URL:-} # Copy the app to the image COPY ${SRC_PATH} /home/wekan/app diff --git a/docker-compose.yml b/docker-compose.yml index e769cb82..9e96bcf1 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -49,6 +49,12 @@ services: # - MATOMO_DO_NOT_TRACK='false' # The option that allows matomo to retrieve the username: # - MATOMO_WITH_USERNAME='true' + # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside. + # Setting this to false is not recommended, it also disables all other browser policy protections + # and allows all iframing etc. See wekan/server/policy.js + - BROWSER_POLICY_ENABLED=true + # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside. + - TRUSTED_URL= depends_on: - wekandb diff --git a/sandstorm-pkgdef.capnp b/sandstorm-pkgdef.capnp index 239e1640..c1cd764c 100644 --- a/sandstorm-pkgdef.capnp +++ b/sandstorm-pkgdef.capnp @@ -242,6 +242,8 @@ const myCommand :Spk.Manifest.Command = ( (key = "MATOMO_SITE_ID", value=""), (key = "MATOMO_DO_NOT_TRACK", value="false"), (key = "MATOMO_WITH_USERNAME", value="true"), + (key = "BROWSER_POLICY_ENABLED", value="true"), + (key = "TRUSTED_URL", value=""), (key = "SANDSTORM", value = "1"), (key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}") ] diff --git a/server/policy.js b/server/policy.js index 17c90c1c..344e42e2 100644 --- a/server/policy.js +++ b/server/policy.js @@ -1,9 +1,33 @@ import { BrowserPolicy } from 'meteor/browser-policy-common'; Meteor.startup(() => { + + if ( process.env.BROWSER_POLICY_ENABLED === 'true' ) { + // Trusted URL that can embed Wekan in iFrame. + const trusted = process.env.TRUSTED_URL; + BrowserPolicy.framing.disallow(); + BrowserPolicy.content.disallowInlineScripts(); + BrowserPolicy.content.disallowEval(); + BrowserPolicy.content.allowInlineStyles(); + BrowserPolicy.content.allowFontDataUrl(); + BrowserPolicy.framing.restrictToOrigin(trusted); + BrowserPolicy.content.allowScriptOrigin(trusted); + } + else { + // Disable browser policy and allow all framing and including. + // Use only at internal LAN, not at Internet. + BrowserPolicy.framing.allowAll(); + BrowserPolicy.content.allowDataUrlForAll(); + } + + // Allow all images from anywhere + BrowserPolicy.content.allowImageOrigin('*'); + + // If Matomo URL is set, allow it. const matomoUrl = process.env.MATOMO_ADDRESS; if (matomoUrl){ BrowserPolicy.content.allowScriptOrigin(matomoUrl); BrowserPolicy.content.allowImageOrigin(matomoUrl); } + }); diff --git a/snap-src/bin/config b/snap-src/bin/config index 9aa2841e..2c50c074 100755 --- a/snap-src/bin/config +++ b/snap-src/bin/config @@ -3,7 +3,7 @@ # All supported keys are defined here together with descriptions and default values # list of supported keys -keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME" +keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL" # default values DESCRIPTION_MONGODB_BIND_UNIX_SOCKET="mongodb binding unix socket:\n"\ @@ -67,3 +67,13 @@ KEY_MATOMO_DO_NOT_TRACK="matomo-do-not-track" DESCRIPTION_MATOMO_WITH_USERNAME="The option that allows matomo to retrieve the username" DEFAULT_MATOMO_WITH_USERNAME="false" KEY_MATOMO_WITH_USERNAME="matomo-with-username" + +DESCRIPTION_BROWSER_POLICY_ENABLED="Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.\n"\ +"\t\t\t Setting this to false is not recommended, it also disables all other browser policy protections\n"\ +"\t\t\t and allows all iframing etc. See wekan/server/policy.js" +DEFAULT_BROWSER_POLICY_ENABLED="true" +KEY_BROWSER_POLICY_ENABLED="browser-policy-enabled" + +DESCRIPTION_TRUSTED_URL="When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside." +DEFAULT_TRUSTED_URL="" +KEY_TRUSTED_URL="trusted-url" diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help index 5c3f9b31..49270fb2 100755 --- a/snap-src/bin/wekan-help +++ b/snap-src/bin/wekan-help @@ -32,6 +32,21 @@ echo -e "To enable the API of wekan:" echo -e "\t$ snap set $SNAP_NAME WITH_API='true'" echo -e "\t-Disable the API:" echo -e "\t$ snap set $SNAP_NAME WITH_API='false'" +echo -e "\n" +echo -e "Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside." +echo -e "\t\t Setting this to false is not recommended, it also disables all other browser policy protections" +echo -e "\t\t and allows all iframing etc. See wekan/server/policy.js" +echo -e "To enable the Content Policy of Wekan:" +echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='true'" +echo -e "\t-Disable the Content Policy of Wekan:" +echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='false'" +echo -e "\n" +echo -e "When browser policy is enabled, HTML code at this URL can have iframe that embeds Wekan inside." +echo -e "To enable the Trusted URL of Wekan:" +echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL='https://example.com'" +echo -e "\t-Disable the Trusted URL of Wekan:" +echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL=''" +echo -e "\n" # parse config file for supported settings keys echo -e "wekan supports settings keys" echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'" |