Control where embedding of Appsmith is allowed (#15348)

Signed-off-by: Shrikant Sharat Kandula <shrikant@appsmith.com>

deploy/docker/scripts/run-nginx.sh

@@ -41,6 +41,15 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
 -----END DH PARAMETERS-----
 EOF
 
+if [[ -z "${APPSMITH_ALLOWED_FRAME_ANCESTORS-}" ]]; then
+	# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+	export APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
+else
+	# Remove any extra rules that may be present in the frame ancestors value. This is to prevent this env variable from
+	# being used to inject more rules to the CSP header. If needed, that should be supported/solved separately.
+	export APPSMITH_ALLOWED_FRAME_ANCESTORS="${APPSMITH_ALLOWED_FRAME_ANCESTORS%;*}"
+fi
+
 # Check exist certificate with given custom domain
 # Heroku not support for custom domain, only generate HTTP config if deploying on Heroku
 if [[ -n ${APPSMITH_CUSTOM_DOMAIN-} ]] && [[ -z ${DYNO-} ]]; then

deploy/docker/templates/docker.env.sh

@@ -59,7 +59,7 @@ APPSMITH_MAIL_SMTP_AUTH=
 APPSMITH_MAIL_SMTP_TLS_ENABLED=
 
 # Disable all telemetry
-# Note: This only takes effect in self-hosted scenarios. 
+# Note: This only takes effect in self-hosted scenarios.
 # Please visit: https://docs.appsmith.com/telemetry to read more about anonymized data collected by Appsmith
 APPSMITH_DISABLE_TELEMETRY=false
 #APPSMITH_SENTRY_DSN=
@@ -91,4 +91,10 @@ APPSMITH_JAVA_ARGS=
 
 APPSMITH_SUPERVISOR_USER=appsmith
 APPSMITH_SUPERVISOR_PASSWORD=$SUPERVISOR_PASSWORD
+
+# Set this to a space separated list of addresses that should be allowed to load Appsmith in a frame.
+# Example: "https://mydomain.com https://another-trusted-domain.com" will allow embedding on those two domains.
+# Default value, if commented or not set, is "'none'", which disables embedding completely.
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+APPSMITH_ALLOWED_FRAME_ANCESTORS="'self'"
 EOF

deploy/docker/templates/nginx/nginx-app-http.conf.template.sh

@@ -27,6 +27,9 @@ server {
   root /opt/appsmith/editor;
   index index.html index.htm;
 
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+  add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self'}";
+
   location /.well-known/acme-challenge/ {
     root /appsmith-stacks/data/certificate/certbot;
   }
@@ -40,13 +43,13 @@ server {
     proxy_buffering     off;
     proxy_max_temp_file_size 0;
     proxy_redirect     off;
-    
+
     proxy_set_header  Host             	\$http_host/supervisor/;
     proxy_set_header  X-Forwarded-For  	\$proxy_add_x_forwarded_for;
     proxy_set_header 	X-Forwarded-Proto \$scheme;
     proxy_set_header 	X-Forwarded-Host 	\$http_host;
     proxy_set_header  Connection       "";
-    
+
     proxy_pass http://localhost:9001/;
 
     auth_basic "Protected";

deploy/docker/templates/nginx/nginx-app-https.conf.template.sh

@@ -39,6 +39,9 @@ server {
   include /appsmith-stacks/data/certificate/conf/options-ssl-nginx.conf;
   ssl_dhparam /appsmith-stacks/data/certificate/conf/ssl-dhparams.pem;
 
+  # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+  add_header Content-Security-Policy "frame-ancestors ${APPSMITH_ALLOWED_FRAME_ANCESTORS-'self'}";
+
   location = /supervisor {
     return 301 /supervisor/;
   }
@@ -60,7 +63,7 @@ server {
   }
 
   proxy_set_header X-Forwarded-Proto \$origin_scheme;
-  proxy_set_header X-Forwarded-Host \$host;  
+  proxy_set_header X-Forwarded-Host \$host;
 
   client_max_body_size 100m;
 
@@ -73,7 +76,6 @@ server {
     root /appsmith-stacks/data/certificate/certbot;
   }
 
-
   location / {
     try_files \$uri /index.html =404;
   }