Protei/PromucFlow_constructor
2
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Control where embedding of Appsmith is allowed (#15348)

Browse Source 
Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com>
This commit is contained in:
Shrikant Sharat Kandula 2022-07-21 13:03:35 +05:30 committed by GitHub
parent b4eddfe61e
commit 874b9945f8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 25 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
deploy/docker/scripts/run-nginx.sh
View File

@ -41,6 +41,15 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
-----END DH PARAMETERS----- -----END DH PARAMETERS-----
EOF EOF
if [[ -z "${APPSMITH_ALLOWED_FRAME_ANCESTORS-}" ]]; then
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
export APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
else
# Remove any extra rules that may be present in the frame ancestors value. This is to prevent this env variable from
# being used to inject more rules to the CSP header. If needed, that should be supported/solved separately.
export APPSMITH_ALLOWED_FRAME_ANCESTORS="${APPSMITH_ALLOWED_FRAME_ANCESTORS%;*}"
fi
# Check exist certificate with given custom domain # Check exist certificate with given custom domain
# Heroku not support for custom domain, only generate HTTP config if deploying on Heroku # Heroku not support for custom domain, only generate HTTP config if deploying on Heroku
if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then

6
deploy/docker/templates/docker.env.sh
View File

@ -91,4 +91,10 @@ APPSMITH_JAVA_ARGS=
APPSMITH_SUPERVISOR_USER=appsmith APPSMITH_SUPERVISOR_USER=appsmith
APPSMITH_SUPERVISOR_PASSWORD=$SUPERVISOR_PASSWORD APPSMITH_SUPERVISOR_PASSWORD=$SUPERVISOR_PASSWORD
# Set this to a space separated list of addresses that should be allowed to load Appsmith in a frame.
# Example: "https://mydomain.com https://another-trusted-domain.com" will allow embedding on those two domains.
# Default value, if commented or not set, is "'none'", which disables embedding completely.
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
EOF EOF

3
deploy/docker/templates/nginx/nginx-app-http.conf.template.sh
View File

@ -27,6 +27,9 @@ server {
root /opt/appsmith/editor; root /opt/appsmith/editor;
index index.html index.htm; index index.html index.htm;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self'}";
location /.well-known/acme-challenge/ { location /.well-known/acme-challenge/ {
root /appsmith-stacks/data/certificate/certbot; root /appsmith-stacks/data/certificate/certbot;
} }

4
deploy/docker/templates/nginx/nginx-app-https.conf.template.sh
View File

@ -39,6 +39,9 @@ server {
include /appsmith-stacks/data/certificate/conf/options-ssl-nginx.conf; include /appsmith-stacks/data/certificate/conf/options-ssl-nginx.conf;
ssl_dhparam /appsmith-stacks/data/certificate/conf/ssl-dhparams.pem; ssl_dhparam /appsmith-stacks/data/certificate/conf/ssl-dhparams.pem;
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self'}";
location = /supervisor { location = /supervisor {
return 301 /supervisor/; return 301 /supervisor/;
} }
@ -73,7 +76,6 @@ server {
root /appsmith-stacks/data/certificate/certbot; root /appsmith-stacks/data/certificate/certbot;
} }
location / { location / {
try_files \$uri /index.html =404; try_files \$uri /index.html =404;
} }