From 8006da129122a4e0046e0d016924d73af88be398 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20=C4=8Ci=C5=BEinsk=C3=BD?= Date: Thu, 29 Oct 2020 17:41:45 +0100 Subject: [PATCH] fix: Add x-frame config option (#4420) Signed-off-by: Pavel Cizinsky --- cmd/argo/commands/server.go | 3 +++ server/apiserver/argoserver.go | 5 ++++- server/static/static.go | 13 ++++++++----- 3 files changed, 15 insertions(+), 6 deletions(-) diff --git a/cmd/argo/commands/server.go b/cmd/argo/commands/server.go index aeeb2dbe7eeb..bc124ff3d9b6 100644 --- a/cmd/argo/commands/server.go +++ b/cmd/argo/commands/server.go @@ -36,6 +36,7 @@ func NewServerCommand() *cobra.Command { enableOpenBrowser bool eventOperationQueueSize int eventWorkerCount int + frameOptions string ) var command = cobra.Command{ @@ -108,6 +109,7 @@ See %s`, help.ArgoSever), ConfigName: configMap, EventOperationQueueSize: eventOperationQueueSize, EventWorkerCount: eventWorkerCount, + XFrameOptions: frameOptions, } browserOpenFunc := func(url string) {} if enableOpenBrowser { @@ -141,5 +143,6 @@ See %s`, help.ArgoSever), command.Flags().BoolVarP(&enableOpenBrowser, "browser", "b", false, "enable automatic launching of the browser [local mode]") command.Flags().IntVar(&eventOperationQueueSize, "event-operation-queue-size", 16, "how many events operations that can be queued at once") command.Flags().IntVar(&eventWorkerCount, "event-worker-count", 4, "how many event workers to run") + command.Flags().StringVar(&frameOptions, "x-frame-options", "DENY", "Set X-Frame-Options header in HTTP responses.") return &command } diff --git a/server/apiserver/argoserver.go b/server/apiserver/argoserver.go index 95bd3e6224ea..2f5864d233eb 100644 --- a/server/apiserver/argoserver.go +++ b/server/apiserver/argoserver.go @@ -70,6 +70,7 @@ type argoServer struct { stopCh chan struct{} eventQueueSize int eventWorkerCount int + xframeOptions string } type ArgoServerOpts struct { @@ -86,6 +87,7 @@ type ArgoServerOpts struct { HSTS bool EventOperationQueueSize int EventWorkerCount int + XFrameOptions string } func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) { @@ -122,6 +124,7 @@ func NewArgoServer(opts ArgoServerOpts) (*argoServer, error) { stopCh: make(chan struct{}), eventQueueSize: opts.EventOperationQueueSize, eventWorkerCount: opts.EventWorkerCount, + xframeOptions: opts.XFrameOptions, }, nil } @@ -288,7 +291,7 @@ func (as *argoServer) newHTTPServer(ctx context.Context, port int, artifactServe mux.HandleFunc("/oauth2/redirect", as.oAuth2Service.HandleRedirect) mux.HandleFunc("/oauth2/callback", as.oAuth2Service.HandleCallback) // we only enable HTST if we are insecure mode, otherwise you would never be able access the UI - mux.HandleFunc("/", static.NewFilesServer(as.baseHRef, as.tlsConfig != nil && as.hsts).ServerFiles) + mux.HandleFunc("/", static.NewFilesServer(as.baseHRef, as.tlsConfig != nil && as.hsts, as.xframeOptions).ServerFiles) return &httpServer } diff --git a/server/static/static.go b/server/static/static.go index bd7725797834..6ab7b379f26e 100644 --- a/server/static/static.go +++ b/server/static/static.go @@ -7,12 +7,13 @@ import ( ) type FilesServer struct { - baseHRef string - hsts bool + baseHRef string + hsts bool + xframeOpts string } -func NewFilesServer(baseHRef string, hsts bool) *FilesServer { - return &FilesServer{baseHRef, hsts} +func NewFilesServer(baseHRef string, hsts bool, xframeOpts string) *FilesServer { + return &FilesServer{baseHRef, hsts, xframeOpts} } func (s *FilesServer) ServerFiles(w http.ResponseWriter, r *http.Request) { @@ -27,7 +28,9 @@ func (s *FilesServer) ServerFiles(w http.ResponseWriter, r *http.Request) { w = &responseRewriter{ResponseWriter: w, old: []byte(``), new: []byte(fmt.Sprintf(``, s.baseHRef))} } - w.Header().Set("X-Frame-Options", "DENY") + if s.xframeOpts != "" { + w.Header().Set("X-Frame-Options", s.xframeOpts) + } // `data:` is need for Monaco editors wiggly red lines w.Header().Set("Content-Security-Policy", "default-src 'self' 'unsafe-inline'; img-src 'self' data:") if s.hsts {