[feature] Set some security related headers (#3065)

* Set frame-ancestors in the CSP
   This ensures we can't be loaded/embedded in an iframe. It also sets the
   older X-Frame-Options for fallback.
* Disable MIME type sniffing
* Set Referrer-Policy
   This sets the policy such that browsers will never send the Referer
   header along with a request, unless it's a request to the same protocol,
   host/domain and port. Basically, only send it when navigating through
   our own UI, but not anything external.

   The default is strict-origin-when-cross-origin when unset, which sends
   the Referer header for requests unless it's going from HTTPS to HTTP
   (i.e a security downgrade, hence the 'strict').

1 files changed, 9 insertions, 0 deletions

diff --git a/internal/middleware/contentsecuritypolicy.go b/internal/middleware/contentsecuritypolicy.go
index 5984a75c3..fb35c3a08 100644
--- a/internal/middleware/contentsecuritypolicy.go
+++ b/internal/middleware/contentsecuritypolicy.go
@@ -40,6 +40,7 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
 		objectSrc  = "object-src"
 		imgSrc     = "img-src"
 		mediaSrc   = "media-src"
+		frames     = "frame-ancestors"
 
 		self = "'self'"
 		none = "'none'"
@@ -103,6 +104,14 @@ func BuildContentSecurityPolicy(extraURIs ...string) string {
 	)
 
 	/*
+		frame-ancestors
+		https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+	*/
+
+	// Don't allow embedding us in an iframe
+	values[frames] = []string{none}
+
+	/*
 		Assemble policy directives.
 	*/