From 99c6c9ec92237d582d033fd4a1078a0f12e54049 Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Thu, 7 Aug 2025 09:33:19 +0200 Subject: [PATCH] Optimized CSP check --- Todo.md | 3 ++- group_vars/all/00_general.yml | 2 +- .../templates/iframe-handler.js.j2 | 14 ++++++++------ roles/web-svc-logout/config/main.yml | 1 + roles/web-svc-logout/vars/main.yml | 5 +---- 5 files changed, 13 insertions(+), 12 deletions(-) diff --git a/Todo.md b/Todo.md index dae19fe2..095f10be 100644 --- a/Todo.md +++ b/Todo.md @@ -1,3 +1,4 @@ # Todos - Implement multi language -- Implement rbac administration interface \ No newline at end of file +- Implement rbac administration interface +- Implement [cloudflare dev cache via API](https://chatgpt.com/share/689385e2-7744-800f-aa93-a6e811a245df) \ No newline at end of file diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index fb931919..7c156d49 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -47,7 +47,7 @@ certbot_credentials_dir: /etc/certbot certbot_credentials_file: "{{ certbot_credentials_dir }}/{{ certbot_acme_challenge_method }}.ini" certbot_dns_api_token: "" # Define in inventory file: More information here: group_vars/all/docs/CLOUDFLARE_API_TOKEN.md certbot_dns_propagation_wait_seconds: 40 # How long should the script wait for DNS propagation before continuing -certbot_flavor: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), deicated +certbot_flavor: san # Possible options: san (recommended, with a dns flavor like cloudflare, or hetzner), wildcard(doesn't function with www redirect), dedicated # Path where Certbot stores challenge webroot files letsencrypt_webroot_path: "/var/lib/letsencrypt/" diff --git a/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 b/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 index 6b927f13..a5f9a7fd 100644 --- a/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 +++ b/roles/srv-web-7-7-inj-port-ui-desktop/templates/iframe-handler.js.j2 @@ -3,12 +3,14 @@ var allowedOrigin = "https://{{ domains | get_domain('web-app-port-ui') }}"; function notifyParent() { - try { - window.parent.postMessage({ - type: "iframeLocationChange", - href: window.location.href - }, allowedOrigin); - } catch (e) {} + if (window.self !== window.top) { + try { + window.parent.postMessage({ + type: "iframeLocationChange", + href: window.location.href + }, allowedOrigin); + } catch (e) {} + } } function forceExternalLinks() { diff --git a/roles/web-svc-logout/config/main.yml b/roles/web-svc-logout/config/main.yml index 9c0b0ff7..1035846a 100644 --- a/roles/web-svc-logout/config/main.yml +++ b/roles/web-svc-logout/config/main.yml @@ -3,6 +3,7 @@ features: css: true port-ui-desktop: true javascript: false + logout: false domains: canonical: - "logout.{{ primary_domain }}" diff --git a/roles/web-svc-logout/vars/main.yml b/roles/web-svc-logout/vars/main.yml index 447a7d6f..f17da19a 100644 --- a/roles/web-svc-logout/vars/main.yml +++ b/roles/web-svc-logout/vars/main.yml @@ -8,8 +8,5 @@ container_port: 8000 # @todo implement the calling of also dependency domains (propably the easiest to write a script which adds all dependencies to group_names) logout_domains: >- {{ - ( - [primary_domain] + - (applications | logout_domains(group_names)) - ) | unique | join(',') + (applications | logout_domains(group_names)) | unique | join(',') }}