fix: Add x-frame config option (argoproj#4420)

Signed-off-by: Pavel Cizinsky <[email protected]>
dreamholy · Oct 29, 2020 · 8006da1 · 8006da1
1 parent 46f0ca0
commit 8006da1
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go
@@ -36,6 +36,7 @@ func NewServerCommand() *cobra.Command {
  enableOpenBrowser bool
  eventOperationQueueSize int
  eventWorkerCount int
+ frameOptions string
  )
 
  var command = cobra.Command{
@@ -108,6 +109,7 @@ See %s`, help.ArgoSever),
  ConfigName: configMap,
  EventOperationQueueSize: eventOperationQueueSize,
  EventWorkerCount: eventWorkerCount,
+ XFrameOptions: frameOptions,
  }
  browserOpenFunc := func(url string) {}
  if enableOpenBrowser {
@@ -141,5 +143,6 @@ See %s`, help.ArgoSever),
  command.Flags().BoolVarP(&enableOpenBrowser, "browser", "b", false, "enable automatic launching of the browser [local mode]")
  command.Flags().IntVar(&eventOperationQueueSize, "event-operation-queue-size", 16, "how many events operations that can be queued at once")
  command.Flags().IntVar(&eventWorkerCount, "event-worker-count", 4, "how many event workers to run")
+ command.Flags().StringVar(&frameOptions, "x-frame-options", "DENY", "Set X-Frame-Options header in HTTP responses.")
  return &command
 }
diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go
@@ -70,6 +70,7 @@ type argoServer struct {
  stopCh chan struct{}
  eventQueueSize int
  eventWorkerCount int
+ xframeOptions string
 }
 
 type ArgoServerOpts struct {
@@ -86,6 +87,7 @@ type ArgoServerOpts struct {
  HSTS bool
  EventOperationQueueSize int
  EventWorkerCount int
+ XFrameOptions string
 }
 
 func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) {
@@ -122,6 +124,7 @@ func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) {
  stopCh: make(chan struct{}),
  eventQueueSize: opts.EventOperationQueueSize,
  eventWorkerCount: opts.EventWorkerCount,
+ xframeOptions: opts.XFrameOptions,
  }, nil
 }
 
@@ -288,7 +291,7 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe
  mux.HandleFunc("/oauth2/redirect", as.oAuth2Service.HandleRedirect)
  mux.HandleFunc("/oauth2/callback", as.oAuth2Service.HandleCallback)
  // we only enable HTST if we are insecure mode, otherwise you would never be able access the UI
- mux.HandleFunc("/", static.NewFilesServer(as.baseHRef, as.tlsConfig != nil && as.hsts).ServerFiles)
+ mux.HandleFunc("/", static.NewFilesServer(as.baseHRef, as.tlsConfig != nil && as.hsts, as.xframeOptions).ServerFiles)
  return &httpServer
 }
 

diff --git a/server/static/static.go b/server/static/static.go
@@ -7,12 +7,13 @@ import (
 )
 
 type FilesServer struct {
- baseHRef string
- hsts bool
+ baseHRef string
+ hsts bool
+ xframeOpts string
 }
 
-func NewFilesServer(baseHRef string, hsts bool) *FilesServer {
- return &FilesServer{baseHRef, hsts}
+func NewFilesServer(baseHRef string, hsts bool, xframeOpts string) *FilesServer {
+ return &FilesServer{baseHRef, hsts, xframeOpts}
 }
 
 func (s *FilesServer) ServerFiles(w http.ResponseWriter, r *http.Request) {
@@ -27,7 +28,9 @@ func (s *FilesServer) ServerFiles(w http.ResponseWriter, r *http.Request) {
  w = &responseRewriter{ResponseWriter: w, old: []byte(`<base href="/">`), new: []byte(fmt.Sprintf(`<base href="%s">`, s.baseHRef))}
  }
 
- w.Header().Set("X-Frame-Options", "DENY")
+ if s.xframeOpts != "" {
+ w.Header().Set("X-Frame-Options", s.xframeOpts)
+ }
  // `data:` is need for Monaco editors wiggly red lines
  w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; img-src 'self' data:")
  if s.hsts {