Mattermost X-Frame-Options and Content-Security-Policy for apache

_r9

Because it took me some time. This is my apache2 proxy vhost configuration for the mattermost iframe inside Kopano.
Relates to this article: https://documentation.kopano.io/kopano_mattermost_manual/first_steps.html#configuration-for-kopano-webapp-deskapp

# # #
# Kopano Mattermost
Header set Content-Security-Policy "frame-ancestors 'self' https://your.kopano.webapp.host.local"
Header set X-Frame-Options "ALLOW-FROM 'https://your.kopano.webapp.host.local'"
# # #

fbartels

Hi @_r9,

Can you explain the function difference to the setting from the linked manual?

_r9

@fbartels The only difference is that this is for the apache2 server instead of nginx. I changed the hostname inside the configuration from my first post to prevent further misconceptions.

To explain my configuration. I’m testing the Kopano-Docker installation at the moment. I also use the kweb server which does already operate as a proxy. My problem is, that I use an apache2 proxy in front of this server. Besides the proxy server configuration I had to add following configuration inside my apache2 vhost configuration. But I’m still testing this configuration.

RewriteEngine On
RewriteCond %{REQUEST_URI} /api/v[0-9]+/(users/)?websocket [NC,OR]
RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC,OR]
RewriteCond %{HTTP:CONNECTION} ^Upgrade$ [NC]
RewriteRule .* wss://$MATTERMOSTSERVER:$MATTERMOSTPORT%{REQUEST_URI} [P,QSA,L]

# # #
# Kopano Mattermost
Header set Content-Security-Policy "frame-ancestors 'self' https://your.kopano.webapp.host.local"
Header set X-Frame-Options "ALLOW-FROM 'https://your.kopano.webapp.host.local'"
# # #

longsleep

@_r9 said in Mattermost X-Frame-Options and Content-Security-Policy for apache:

Header append Content-Security-Policy “frame-ancestors ‘self’ https://your.kopano.webapp.host.local”
Header unset Content-Security-Policy

Why do you first append something to a header and then remove that header completely in the next line? Makes no sense to me and this setup cannot be recommended since security relevant headers are removed.

Kweb might eventually get a setting to enhance the default CSP header values.

_r9

Hey @longsleep thanks for your response and help.

1. I added this because without it I’m always getting following error messages inside my browser

Content Security Policy: Ignoring ‘x-frame-options’ because of ‘frame-ancestors’ directive.

2. I googled about the configuration inside the linked article

proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;

There are several articles like this one https://zinoui.com/blog/remove-http-response-headers which explains that proxy_hide_header for nginx is the same as header unset for apache2.

As explained in my 2nd post this server configuration is for an apache2 proxy that sits in front of the Kweb server. The mattermost server is available through a specific port and host.

_r9

@longsleep But you were right about this. When I remove the Header append configuration I’m having the same results. I thought about it that this makes no sense. Sorry for the wrong lead.

_r9

This post is deleted!

_r9

@longsleep Okay it looks like that I found the right configuration. I changed my first and second post. Looks like that the browser caches made me crazy about this xD

fbartels

@_r9 thanks for sharing. The documentation I was referring to was the included Apache vhost in our Mattermost packages, but since you’re running in Docker you are probably not using these.

These had already something quite similar to your code, except it used a header edit. But on the other hand since we both consulted the same apache documentation it also had the same unset.