-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
fix: Add Content-Security-Policy configuration option #8943
Conversation
This should finish up the work on issue argoproj#2706 by adding a configurable Content-Security-Policy header which defaults to frame-ancestors 'self'; This matches what we do with X-Frame-Options=sameorigin some reference information found here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors Signed-off-by: zachaller <zachaller@hotmail.com>
Codecov Report
@@ Coverage Diff @@
## master #8943 +/- ##
==========================================
+ Coverage 43.40% 44.92% +1.52%
==========================================
Files 186 212 +26
Lines 23373 25263 +1890
==========================================
+ Hits 10145 11350 +1205
- Misses 11779 12309 +530
- Partials 1449 1604 +155
Continue to review full report at Codecov.
|
Signed-off-by: zachaller <zachaller@hotmail.com>
- https://www.w3.org/TR/CSP2/#frame-ancestors-and-frame-options So if someone out there is serving Argo CD via nested iframes like company.com/argo-cd-frame-top -> other.com/argo-cd-frame-inner -> company.com/argo-cd, this is a breaking change for them. I'm okay with that. :-) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Want to add this var to manifests/base/server/argocd-server-deployment.yaml so this can be configured via argocd-cmd-params-cm like x-frame-options?
…ed via configmap Signed-off-by: zachaller <zachaller@hotmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice! Thank you @zachaller
LGTM
* fix: Add Content-Security-Policy configuration This should finish up the work on issue argoproj#2706 by adding a configurable Content-Security-Policy header which defaults to frame-ancestors 'self'; This matches what we do with X-Frame-Options=sameorigin some reference information found here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors Signed-off-by: zachaller <zachaller@hotmail.com> * Run codegen Signed-off-by: zachaller <zachaller@hotmail.com> * fix: add ARGOCD_SERVER_CONTENT_SECURITY_POLICY env var to be configured via configmap Signed-off-by: zachaller <zachaller@hotmail.com> Signed-off-by: wojtekidd <wojtek.cichon@protonmail.com>
This should finish up the work on issue #2706 by adding a configurable
Content-Security-Policy header which defaults to frame-ancestors 'self';
This matches what we do with X-Frame-Options=sameorigin some reference information found
here https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
Signed-off-by: zachaller zachaller@hotmail.com