From b846a0527688ab143e8c61152c15acd32bd42cf8 Mon Sep 17 00:00:00 2001 From: John Niang Date: Wed, 29 Mar 2023 14:56:13 +0800 Subject: [PATCH] Make frame options header configurable (#3612) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit #### What type of PR is this? /kind feature /area core #### What this PR does / why we need it: See https://github.com/halo-dev/halo/issues/3605#issuecomment-1486509473 for more. #### Which issue(s) this PR fixes: Fixes https://github.com/halo-dev/halo/issues/3605 #### Special notes for your reviewer: #### Does this PR introduce a user-facing change? ```release-note 提供配置以控制能否被 iframe 引用 ``` --- .../run/halo/app/config/WebServerSecurityConfig.java | 12 +++++++++--- .../app/infra/properties/SecurityProperties.java | 11 +++++++++++ 2 files changed, 20 insertions(+), 3 deletions(-) diff --git a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java index 961bf311a..8c011f89f 100644 --- a/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java +++ b/application/src/main/java/run/halo/app/config/WebServerSecurityConfig.java @@ -2,7 +2,6 @@ package run.halo.app.config; import static org.springframework.security.config.Customizer.withDefaults; import static org.springframework.security.web.server.header.ReferrerPolicyServerHttpHeadersWriter.ReferrerPolicy.STRICT_ORIGIN_WHEN_CROSS_ORIGIN; -import static org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode.SAMEORIGIN; import static org.springframework.security.web.server.util.matcher.ServerWebExchangeMatchers.pathMatchers; import java.util.Set; @@ -81,7 +80,8 @@ public class WebServerSecurityConfig { @Bean @Order(Ordered.HIGHEST_PRECEDENCE + 1) SecurityWebFilterChain portalFilterChain(ServerHttpSecurity http, - ServerSecurityContextRepository securityContextRepository) { + ServerSecurityContextRepository securityContextRepository, + HaloProperties haloProperties) { var pathMatcher = pathMatchers(HttpMethod.GET, "/**"); var mediaTypeMatcher = new MediaTypeServerWebExchangeMatcher(MediaType.TEXT_HTML); mediaTypeMatcher.setIgnoredMediaTypes(Set.of(MediaType.ALL)); @@ -89,7 +89,13 @@ public class WebServerSecurityConfig { .authorizeExchange().anyExchange().permitAll().and() .securityContextRepository(securityContextRepository) .headers() - .frameOptions().mode(SAMEORIGIN) + .frameOptions(spec -> { + var frameOptions = haloProperties.getSecurity().getFrameOptions(); + spec.mode(frameOptions.getMode()); + if (frameOptions.isDisabled()) { + spec.disable(); + } + }) .referrerPolicy().policy(STRICT_ORIGIN_WHEN_CROSS_ORIGIN).and() .cache().disable().and() .anonymous(spec -> spec.authenticationFilter( diff --git a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java index 04828b82d..78ed4ae71 100644 --- a/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java +++ b/application/src/main/java/run/halo/app/infra/properties/SecurityProperties.java @@ -1,12 +1,23 @@ package run.halo.app.infra.properties; import lombok.Data; +import org.springframework.security.web.server.header.XFrameOptionsServerHttpHeadersWriter.Mode; @Data public class SecurityProperties { private final Initializer initializer = new Initializer(); + private final FrameOptions frameOptions = new FrameOptions(); + + @Data + public static class FrameOptions { + + private boolean disabled; + + private Mode mode = Mode.SAMEORIGIN; + } + @Data public static class Initializer {