shishantbiswas/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2026-06-02 20:48:20 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(coderd): omit frame-ancestors CSP for embed routes (#24529)

Browse Source
This commit is contained in:
Jakub Domeracki
2026-04-20 15:38:52 +02:00
committed by GitHub
parent 410f9a5e19
commit 411ed21059
3 changed files with 38 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
coderd/coderd.go
+8 -4
View File
@@ -2037,16 +2037,20 @@ func New(options *Options) *API {
cspMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), cspProxyHosts, additionalCSPHeaders)
// Embed routes (e.g. VS Code extension chat) are designed to be
// loaded inside iframes, so they need a relaxed frame-ancestors
// policy instead of the default 'self'. However, if the operator
// explicitly configured frame-ancestors via CODER_ADDITIONAL_CSP_POLICY,
// loaded inside iframes, so they must not include frame-ancestors
// in their CSP. The CSP wildcard '*' only matches network schemes
// (http, https, ws, wss) and cannot cover custom schemes like
// vscode-webview://, so the only way to allow all embedders is
// to omit the directive entirely. If the operator explicitly
// configured frame-ancestors via CODER_ADDITIONAL_CSP_POLICY,
// respect that setting.
embedCSPHeaders := make(map[httpmw.CSPFetchDirective][]string, len(additionalCSPHeaders))
for k, v := range additionalCSPHeaders {
embedCSPHeaders[k] = v
}
if _, ok := additionalCSPHeaders[httpmw.CSPFrameAncestors]; !ok {
embedCSPHeaders[httpmw.CSPFrameAncestors] = []string{"*"}
embedCSPHeaders[httpmw.CSPFrameAncestors] = []string{}
}
embedCSPMW := httpmw.CSPHeaders(options.Telemetry.Enabled(), cspProxyHosts, embedCSPHeaders)
embedHandler := embedCSPMW(compressHandler(httpmw.HSTS(api.SiteHandler, options.StrictTransportSecurityCfg)))