- When Content Policy is enabled, allow one URL to have iframe that embeds Wekan

- Add option to turn off Content Policy
- Allow always in Wekan markdown <img src="any-image-url-here">

Thanks to xet7 !

Closes #1676

Dockerfile

@@ -15,6 +15,8 @@ ARG MATOMO_ADDRESS
 ARG MATOMO_SITE_ID
 ARG MATOMO_DO_NOT_TRACK
 ARG MATOMO_WITH_USERNAME
+ARG BROWSER_POLICY_ENABLED
+ARG TRUSTED_URL
 
 # Set the environment variables (defaults where required)
 # DOES NOT WORK: paxctl fix for alpine linux: https://github.com/wekan/wekan/issues/1303
@@ -33,7 +35,8 @@ ENV MATOMO_ADDRESS ${MATOMO_ADDRESS:-}
 ENV MATOMO_SITE_ID ${MATOMO_SITE_ID:-}
 ENV MATOMO_DO_NOT_TRACK ${MATOMO_DO_NOT_TRACK:-false}
 ENV MATOMO_WITH_USERNAME ${MATOMO_WITH_USERNAME:-true}
-
+ENV BROWSER_POLICY_ENABLED ${BROWSER_POLICY_ENABLED:-true}
+ENV TRUSTED_URL ${TRUSTED_URL:-}
 
 # Copy the app to the image
 COPY ${SRC_PATH} /home/wekan/app

docker-compose.yml

@@ -49,6 +49,12 @@ services:
       # - MATOMO_DO_NOT_TRACK='false'
       # The option that allows matomo to retrieve the username:
       # - MATOMO_WITH_USERNAME='true'
+      # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
+      # Setting this to false is not recommended, it also disables all other browser policy protections
+      # and allows all iframing etc. See wekan/server/policy.js
+      - BROWSER_POLICY_ENABLED=true
+      # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
+      - TRUSTED_URL=
     depends_on:
       - wekandb
 

sandstorm-pkgdef.capnp

@@ -242,6 +242,8 @@ const myCommand :Spk.Manifest.Command = (
     (key = "MATOMO_SITE_ID", value=""),
     (key = "MATOMO_DO_NOT_TRACK", value="false"),
     (key = "MATOMO_WITH_USERNAME", value="true"),
+    (key = "BROWSER_POLICY_ENABLED", value="true"),
+    (key = "TRUSTED_URL", value=""),
     (key = "SANDSTORM", value = "1"),
     (key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}")
   ]

server/policy.js

@@ -1,9 +1,33 @@
 import { BrowserPolicy } from 'meteor/browser-policy-common';
 
 Meteor.startup(() => {
+
+  if ( process.env.BROWSER_POLICY_ENABLED === 'true' ) {
+    // Trusted URL that can embed Wekan in iFrame.
+    const trusted = process.env.TRUSTED_URL;
+    BrowserPolicy.framing.disallow();
+    BrowserPolicy.content.disallowInlineScripts();
+    BrowserPolicy.content.disallowEval();
+    BrowserPolicy.content.allowInlineStyles();
+    BrowserPolicy.content.allowFontDataUrl();
+    BrowserPolicy.framing.restrictToOrigin(trusted);
+    BrowserPolicy.content.allowScriptOrigin(trusted);
+  }
+  else {
+    // Disable browser policy and allow all framing and including.
+    // Use only at internal LAN, not at Internet.
+    BrowserPolicy.framing.allowAll();
+    BrowserPolicy.content.allowDataUrlForAll();
+  }
+
+  // Allow all images from anywhere
+  BrowserPolicy.content.allowImageOrigin('*');
+
+  // If Matomo URL is set, allow it.
   const matomoUrl = process.env.MATOMO_ADDRESS;
   if (matomoUrl){
     BrowserPolicy.content.allowScriptOrigin(matomoUrl);
     BrowserPolicy.content.allowImageOrigin(matomoUrl);
   }
+
 });

snap-src/bin/config

@@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values
 
 # list of supported keys
-keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME"
+keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL"
 
 # default values
 DESCRIPTION_MONGODB_BIND_UNIX_SOCKET="mongodb binding unix socket:\n"\
@@ -67,3 +67,13 @@ KEY_MATOMO_DO_NOT_TRACK="matomo-do-not-track"
 DESCRIPTION_MATOMO_WITH_USERNAME="The option that allows matomo to retrieve the username"
 DEFAULT_MATOMO_WITH_USERNAME="false"
 KEY_MATOMO_WITH_USERNAME="matomo-with-username"
+
+DESCRIPTION_BROWSER_POLICY_ENABLED="Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.\n"\
+"\t\t\t Setting this to false is not recommended, it also disables all other browser policy protections\n"\
+"\t\t\t and allows all iframing etc. See wekan/server/policy.js"
+DEFAULT_BROWSER_POLICY_ENABLED="true"
+KEY_BROWSER_POLICY_ENABLED="browser-policy-enabled"
+
+DESCRIPTION_TRUSTED_URL="When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside."
+DEFAULT_TRUSTED_URL=""
+KEY_TRUSTED_URL="trusted-url"

snap-src/bin/wekan-help

@@ -32,6 +32,21 @@ echo -e "To enable the API of wekan:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='true'"
 echo -e "\t-Disable the API:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='false'"
+echo -e "\n"
+echo -e "Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside."
+echo -e "\t\t Setting this to false is not recommended, it also disables all other browser policy protections"
+echo -e "\t\t and allows all iframing etc. See wekan/server/policy.js"
+echo -e "To enable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='true'"
+echo -e "\t-Disable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='false'"
+echo -e "\n"
+echo -e "When browser policy is enabled, HTML code at this URL can have iframe that embeds Wekan inside."
+echo -e "To enable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL='https://example.com'"
+echo -e "\t-Disable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL=''"
+echo -e "\n"
 # parse config file for supported settings keys
 echo -e "wekan supports settings keys"
 echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"