Add frame-src CSP override option for custom origins (#994)

mgcm · web-flow · commit 64385e095d15 · 2025-09-29T11:20:33.000Z
* Add frame-src content policy override option for custom origin

Signed-off-by: Milton Moura &lt;miltonmoura@gmail.com&gt;

* Add changeset

Signed-off-by: Milton Moura &lt;miltonmoura@gmail.com&gt;

* add mention of  on the README.md

Signed-off-by: Milton Moura &lt;miltonmoura@gmail.com&gt;

---------

Signed-off-by: Milton Moura &lt;miltonmoura@gmail.com&gt;
diff --git a/.changeset/chilly-lemons-leave.md b/.changeset/chilly-lemons-leave.md
@@ -0,0 +1,5 @@
+---
+'@matrix-widget-toolkit/widget-server': minor
+---
+
+Add CSP_FRAME_SRC support to enable custom frame-src origins
diff --git a/containers/widget-server/Dockerfile b/containers/widget-server/Dockerfile
@@ -38,4 +38,4 @@ COPY files/provide_environment.sh /
 VOLUME /var/cache/nginx /tmp
 
 ENTRYPOINT [ "/provide_environment.sh" ]
-CMD [ "nginx", "-g", "daemon off; load_module \"modules/ngx_http_perl_module.so\"; env __ENVIRONMENT_SCRIPT__; env __CSP_FONT_SRC__; env __CSP_STYLE_SRC__; env __CSP_SCRIPT_SRC__; env __CSP_IMG_SRC__; env __CSP_CONNECT_SRC__;" ]
+CMD [ "nginx", "-g", "daemon off; load_module \"modules/ngx_http_perl_module.so\"; env __ENVIRONMENT_SCRIPT__; env __CSP_FRAME_SRC__; env __CSP_FONT_SRC__; env __CSP_STYLE_SRC__; env __CSP_SCRIPT_SRC__; env __CSP_IMG_SRC__; env __CSP_CONNECT_SRC__;" ]
diff --git a/containers/widget-server/README.md b/containers/widget-server/README.md
@@ -108,7 +108,7 @@ Simply replace the `/etc/nginx/conf.d/custom/content-security-policy.conf` file
 Note that the `$__STYLE_CSP_NONCE__` will be used to add the unique nonce to each request.
 
 It is also possible to extend the existing CSP with additional values:
-The values of the `CSP_FONT_SRC`, `CSP_STYLE_SRC`, `CSP_SCRIPT_SRC`, `CSP_IMG_SRC`, `CSP_CONNECT_SRC` environment variables will be appended to the respecting policy.
+The values of the `CSP_FRAME_SRC`, `CSP_FONT_SRC`, `CSP_STYLE_SRC`, `CSP_SCRIPT_SRC`, `CSP_IMG_SRC`, `CSP_CONNECT_SRC` environment variables will be appended to the respecting policy.
 Environment variable references can be added as string, e.g. `export CSP_IMG_SRC='${REACT_APP_HOME_SERVER_URL}'`.
 Note that it is not possible to remove existing entries without replacing the `content-security-policy.conf` file.
 
diff --git a/containers/widget-server/files/content-security-policy.conf b/containers/widget-server/files/content-security-policy.conf
@@ -1 +1 @@
-add_header Content-Security-Policy "default-src 'none'; font-src 'self' data: $__CSP_FONT_SRC__; style-src 'self' $__STYLE_CSP_NONCE__ $__CSP_STYLE_SRC__; script-src 'self' $__STYLE_CSP_NONCE__ $__CSP_SCRIPT_SRC__; img-src 'self' data: $__CSP_IMG_SRC__; connect-src 'self' $__CSP_CONNECT_SRC__; manifest-src 'self';";
+add_header Content-Security-Policy "default-src 'none'; frame-src 'self' $__CSP_FRAME_SRC__; font-src 'self' data: $__CSP_FONT_SRC__; style-src 'self' $__STYLE_CSP_NONCE__ $__CSP_STYLE_SRC__; script-src 'self' $__STYLE_CSP_NONCE__ $__CSP_SCRIPT_SRC__; img-src 'self' data: $__CSP_IMG_SRC__; connect-src 'self' $__CSP_CONNECT_SRC__; manifest-src 'self';";
diff --git a/containers/widget-server/files/default.conf b/containers/widget-server/files/default.conf
@@ -9,6 +9,7 @@ server_tokens off;
 perl_set $__ENVIRONMENT_SCRIPT__ 'sub { return $ENV{"__ENVIRONMENT_SCRIPT__"}; }';
 
 # provide additional variables that can be used in the CSP
+perl_set $__CSP_FRAME_SRC__ 'sub {return $ENV{"__CSP_FRAME_SRC__"}; }';
 perl_set $__CSP_FONT_SRC__ 'sub {return $ENV{"__CSP_FONT_SRC__"}; }';
 perl_set $__CSP_STYLE_SRC__ 'sub {return $ENV{"__CSP_STYLE_SRC__"}; }';
 perl_set $__CSP_SCRIPT_SRC__ 'sub {return $ENV{"__CSP_SCRIPT_SRC__"}; }';
@@ -48,8 +49,8 @@ server {
   # they have a hash in the filename.
   location /static {
     add_header Cache-Control "public, max-age=31556926, immutable";
-  } 
-  
+  }
+
   location /assets {
     add_header Cache-Control "public, max-age=31556926, immutable";
   }
diff --git a/containers/widget-server/files/provide_environment.sh b/containers/widget-server/files/provide_environment.sh
@@ -1,7 +1,7 @@
 #!/bin/sh
 
 # Create a new entrypoint that exports a __ENVIRONMENT_SCRIPT__ variable
-# from all REACT_APP_* environment variables. The variable contains a 
+# from all REACT_APP_* environment variables. The variable contains a
 # variable assignment to window.__ENVIRONMENT__  that should be put
 # into a <script>.
 
@@ -26,6 +26,7 @@ __ENVIRONMENT__=`echo -n "{$JSON_CONTENT}" | base64 -w 0`
 export __ENVIRONMENT_SCRIPT__="window.__ENVIRONMENT__ = '${__ENVIRONMENT__}';"
 
 # compile the CSP hooks
+export __CSP_FRAME_SRC__=`echo $CSP_FRAME_SRC | envsubst`
 export __CSP_FONT_SRC__=`echo $CSP_FONT_SRC | envsubst`
 export __CSP_STYLE_SRC__=`echo $CSP_STYLE_SRC | envsubst`
 export __CSP_SCRIPT_SRC__=`echo $CSP_SCRIPT_SRC | envsubst`

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@matrix-widget-toolkit/widget-server': minor
 +---
++
 +Add CSP_FRAME_SRC support to enable custom frame-src origins
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-add_header Content-Security-Policy "default-src 'none'; font-src 'self' data: $__CSP_FONT_SRC__; style-src 'self' $__STYLE_CSP_NONCE__ $__CSP_STYLE_SRC__; script-src 'self' $__STYLE_CSP_NONCE__ $__CSP_SCRIPT_SRC__; img-src 'self' data: $__CSP_IMG_SRC__; connect-src 'self' $__CSP_CONNECT_SRC__; manifest-src 'self';";`
	`1`	`+add_header Content-Security-Policy "default-src 'none'; frame-src 'self' $__CSP_FRAME_SRC__; font-src 'self' data: $__CSP_FONT_SRC__; style-src 'self' $__STYLE_CSP_NONCE__ $__CSP_STYLE_SRC__; script-src 'self' $__STYLE_CSP_NONCE__ $__CSP_SCRIPT_SRC__; img-src 'self' data: $__CSP_IMG_SRC__; connect-src 'self' $__CSP_CONNECT_SRC__; manifest-src 'self';";`