Use Content-Security-Policy frame-ancestors
X-Frame-Options has been deprecated by Content Security Policy Level 2. We will need to provide the option for older browsers for the time being, but frame-ancestors is preferred on newer ones.
This commit is contained in:
parent
afa65349cc
commit
2b5cc07005
@ -47,8 +47,8 @@ remoteuploads = true
|
|||||||
- ```-metapath meta/``` -- Path to store information about uploads (default is meta/)
|
- ```-metapath meta/``` -- Path to store information about uploads (default is meta/)
|
||||||
- ```-maxsize 4294967296``` -- maximum upload file size in bytes (default 4GB)
|
- ```-maxsize 4294967296``` -- maximum upload file size in bytes (default 4GB)
|
||||||
- ```-allowhotlink``` -- Allow file hotlinking
|
- ```-allowhotlink``` -- Allow file hotlinking
|
||||||
- ```-contentsecuritypolicy "..."``` -- Content-Security-Policy header for pages (default is "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;")
|
- ```-contentsecuritypolicy "..."``` -- Content-Security-Policy header for pages (default is "default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; referrer origin;")
|
||||||
- ```-filecontentsecuritypolicy "..."``` -- Content-Security-Policy header for files (default is "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; referrer origin;")
|
- ```-filecontentsecuritypolicy "..."``` -- Content-Security-Policy header for files (default is "default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; referrer origin;")
|
||||||
- ```-xframeoptions "..." ``` -- X-Frame-Options header (default is "SAMEORIGIN")
|
- ```-xframeoptions "..." ``` -- X-Frame-Options header (default is "SAMEORIGIN")
|
||||||
- ```-remoteuploads``` -- (optionally) enable remote uploads (/upload?url=https://...)
|
- ```-remoteuploads``` -- (optionally) enable remote uploads (/upload?url=https://...)
|
||||||
- ```-nologs``` -- (optionally) disable request logs in stdout
|
- ```-nologs``` -- (optionally) disable request logs in stdout
|
||||||
|
@ -212,10 +212,10 @@ func main() {
|
|||||||
flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
|
flag.StringVar(&Config.remoteAuthFile, "remoteauthfile", "",
|
||||||
"path to a file containing newline-separated scrypted auth keys for remote uploads")
|
"path to a file containing newline-separated scrypted auth keys for remote uploads")
|
||||||
flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
|
flag.StringVar(&Config.contentSecurityPolicy, "contentsecuritypolicy",
|
||||||
"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; referrer origin;",
|
"default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; referrer origin;",
|
||||||
"value of default Content-Security-Policy header")
|
"value of default Content-Security-Policy header")
|
||||||
flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
|
flag.StringVar(&Config.fileContentSecurityPolicy, "filecontentsecuritypolicy",
|
||||||
"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; referrer origin;",
|
"default-src 'none'; img-src 'self'; object-src 'self'; media-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self'; referrer origin;",
|
||||||
"value of Content-Security-Policy header for file access")
|
"value of Content-Security-Policy header for file access")
|
||||||
flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
|
flag.StringVar(&Config.xFrameOptions, "xframeoptions", "SAMEORIGIN",
|
||||||
"value of X-Frame-Options header")
|
"value of X-Frame-Options header")
|
||||||
|
Loading…
Reference in New Issue
Block a user