From b9929dc68297539a94d21950995e26e06745a263 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Mon, 13 Aug 2018 19:24:07 +0300
Subject: [PATCH] - When Content Policy is enabled, allow one URL to have
 iframe that embeds Wekan - Add option to turn off Content Policy - Allow
 always in Wekan markdown <img src="any-image-url-here">

Thanks to xet7 !

Closes #1676
---
 Dockerfile              |  5 ++++-
 docker-compose.yml      |  6 ++++++
 sandstorm-pkgdef.capnp  |  2 ++
 server/policy.js        | 24 ++++++++++++++++++++++++
 snap-src/bin/config     | 12 +++++++++++-
 snap-src/bin/wekan-help | 15 +++++++++++++++
 6 files changed, 62 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 39002070f..a548adf19 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,6 +15,8 @@ ARG MATOMO_ADDRESS
 ARG MATOMO_SITE_ID
 ARG MATOMO_DO_NOT_TRACK
 ARG MATOMO_WITH_USERNAME
+ARG BROWSER_POLICY_ENABLED
+ARG TRUSTED_URL
 
 # Set the environment variables (defaults where required)
 # DOES NOT WORK: paxctl fix for alpine linux: https://github.com/wekan/wekan/issues/1303
@@ -33,7 +35,8 @@ ENV MATOMO_ADDRESS ${MATOMO_ADDRESS:-}
 ENV MATOMO_SITE_ID ${MATOMO_SITE_ID:-}
 ENV MATOMO_DO_NOT_TRACK ${MATOMO_DO_NOT_TRACK:-false}
 ENV MATOMO_WITH_USERNAME ${MATOMO_WITH_USERNAME:-true}
-
+ENV BROWSER_POLICY_ENABLED ${BROWSER_POLICY_ENABLED:-true}
+ENV TRUSTED_URL ${TRUSTED_URL:-}
 
 # Copy the app to the image
 COPY ${SRC_PATH} /home/wekan/app
diff --git a/docker-compose.yml b/docker-compose.yml
index e769cb829..9e96bcf10 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -49,6 +49,12 @@ services:
       # - MATOMO_DO_NOT_TRACK='false'
       # The option that allows matomo to retrieve the username:
       # - MATOMO_WITH_USERNAME='true'
+      # Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.
+      # Setting this to false is not recommended, it also disables all other browser policy protections
+      # and allows all iframing etc. See wekan/server/policy.js
+      - BROWSER_POLICY_ENABLED=true
+      # When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside.
+      - TRUSTED_URL=
     depends_on:
       - wekandb
 
diff --git a/sandstorm-pkgdef.capnp b/sandstorm-pkgdef.capnp
index 239e1640c..c1cd764c4 100644
--- a/sandstorm-pkgdef.capnp
+++ b/sandstorm-pkgdef.capnp
@@ -242,6 +242,8 @@ const myCommand :Spk.Manifest.Command = (
     (key = "MATOMO_SITE_ID", value=""),
     (key = "MATOMO_DO_NOT_TRACK", value="false"),
     (key = "MATOMO_WITH_USERNAME", value="true"),
+    (key = "BROWSER_POLICY_ENABLED", value="true"),
+    (key = "TRUSTED_URL", value=""),
     (key = "SANDSTORM", value = "1"),
     (key = "METEOR_SETTINGS", value = "{\"public\": {\"sandstorm\": true}}")
   ]
diff --git a/server/policy.js b/server/policy.js
index 17c90c1c3..344e42e28 100644
--- a/server/policy.js
+++ b/server/policy.js
@@ -1,9 +1,33 @@
 import { BrowserPolicy } from 'meteor/browser-policy-common';
 
 Meteor.startup(() => {
+
+  if ( process.env.BROWSER_POLICY_ENABLED === 'true' ) {
+    // Trusted URL that can embed Wekan in iFrame.
+    const trusted = process.env.TRUSTED_URL;
+    BrowserPolicy.framing.disallow();
+    BrowserPolicy.content.disallowInlineScripts();
+    BrowserPolicy.content.disallowEval();
+    BrowserPolicy.content.allowInlineStyles();
+    BrowserPolicy.content.allowFontDataUrl();
+    BrowserPolicy.framing.restrictToOrigin(trusted);
+    BrowserPolicy.content.allowScriptOrigin(trusted);
+  }
+  else {
+    // Disable browser policy and allow all framing and including.
+    // Use only at internal LAN, not at Internet.
+    BrowserPolicy.framing.allowAll();
+    BrowserPolicy.content.allowDataUrlForAll();
+  }
+
+  // Allow all images from anywhere
+  BrowserPolicy.content.allowImageOrigin('*');
+
+  // If Matomo URL is set, allow it.
   const matomoUrl = process.env.MATOMO_ADDRESS;
   if (matomoUrl){
     BrowserPolicy.content.allowScriptOrigin(matomoUrl);
     BrowserPolicy.content.allowImageOrigin(matomoUrl);
   }
+
 });
diff --git a/snap-src/bin/config b/snap-src/bin/config
index 9aa2841e4..2c50c0744 100755
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values
 
 # list of supported keys
-keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME"
+keys="MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL"
 
 # default values
 DESCRIPTION_MONGODB_BIND_UNIX_SOCKET="mongodb binding unix socket:\n"\
@@ -67,3 +67,13 @@ KEY_MATOMO_DO_NOT_TRACK="matomo-do-not-track"
 DESCRIPTION_MATOMO_WITH_USERNAME="The option that allows matomo to retrieve the username"
 DEFAULT_MATOMO_WITH_USERNAME="false"
 KEY_MATOMO_WITH_USERNAME="matomo-with-username"
+
+DESCRIPTION_BROWSER_POLICY_ENABLED="Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside.\n"\
+"\t\t\t Setting this to false is not recommended, it also disables all other browser policy protections\n"\
+"\t\t\t and allows all iframing etc. See wekan/server/policy.js"
+DEFAULT_BROWSER_POLICY_ENABLED="true"
+KEY_BROWSER_POLICY_ENABLED="browser-policy-enabled"
+
+DESCRIPTION_TRUSTED_URL="When browser policy is enabled, HTML code at this Trusted URL can have iframe that embeds Wekan inside."
+DEFAULT_TRUSTED_URL=""
+KEY_TRUSTED_URL="trusted-url"
diff --git a/snap-src/bin/wekan-help b/snap-src/bin/wekan-help
index 5c3f9b310..49270fb23 100755
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@@ -32,6 +32,21 @@ echo -e "To enable the API of wekan:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='true'"
 echo -e "\t-Disable the API:"
 echo -e "\t$ snap set $SNAP_NAME WITH_API='false'"
+echo -e "\n"
+echo -e "Enable browser policy and allow one trusted URL that can have iframe that has Wekan embedded inside."
+echo -e "\t\t Setting this to false is not recommended, it also disables all other browser policy protections"
+echo -e "\t\t and allows all iframing etc. See wekan/server/policy.js"
+echo -e "To enable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='true'"
+echo -e "\t-Disable the Content Policy of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME CONTENT_POLICY_ENABLED='false'"
+echo -e "\n"
+echo -e "When browser policy is enabled, HTML code at this URL can have iframe that embeds Wekan inside."
+echo -e "To enable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL='https://example.com'"
+echo -e "\t-Disable the Trusted URL of Wekan:"
+echo -e "\t$ snap set $SNAP_NAME TRUSTED_URL=''"
+echo -e "\n"
 # parse config file for supported settings keys
 echo -e "wekan supports settings keys"
 echo -e "values can be changed by calling\n$ snap set $SNAP_NAME <key name>='<key value>'"