From c52f424e79d0b3a44acd4547268457e9c95c80ff Mon Sep 17 00:00:00 2001 From: Alexander Olofsson Date: Mon, 25 Sep 2023 15:26:00 +0200 Subject: [PATCH] element-web: Use a wider CSP default X-Frame-Options should be the source of truth for this particular policy decision, but it seems some browsers aren't collating the two correctly, so a slightly wider CSP policy allows those to behave reasonably. --- charts/element-web/Chart.yaml | 2 +- charts/element-web/values.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/element-web/Chart.yaml b/charts/element-web/Chart.yaml index 3f5cba3..3ae3fc0 100644 --- a/charts/element-web/Chart.yaml +++ b/charts/element-web/Chart.yaml @@ -10,7 +10,7 @@ icon: https://element.io/images/logo-mark-primary.svg appVersion: 1.11.42 type: application -version: 1.2.13 +version: 1.3.0 maintainers: - name: Alexander Olofsson diff --git a/charts/element-web/values.yaml b/charts/element-web/values.yaml index 15f834a..33381e7 100644 --- a/charts/element-web/values.yaml +++ b/charts/element-web/values.yaml @@ -34,7 +34,7 @@ nginxConfig: |- add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; - add_header Content-Security-Policy "frame-ancestors 'none'"; + add_header Content-Security-Policy "frame-ancestors 'self'"; ## Configuration for mounting additional volumes into the application container. ##