From 75651f63ad53e9ad7d99755bb22ce746ca0f2c03 Mon Sep 17 00:00:00 2001
From: Ruakij <ruakij@ruekov.eu>
Date: Sun, 22 Sep 2024 20:28:43 +0200
Subject: [PATCH] feat: add Content-Security-Policy Header, allows setting
 frame-ancestor domains and moved font local

fix #455
---
 cypress/config/settings.cypress.json          |  1 +
 overseerr-api.yml                             |  3 +
 package.json                                  |  1 +
 pnpm-lock.yaml                                |  9 ++
 server/index.ts                               | 31 ++++++-
 server/lib/settings/index.ts                  |  2 +
 server/utils/restartFlag.ts                   |  3 +-
 .../Settings/SettingsMain/index.tsx           | 30 +++++++
 src/i18n/locale/en.json                       |  8 +-
 src/pages/_app.tsx                            | 86 ++++++++++---------
 src/pages/_document.tsx                       |  8 +-
 src/styles/globals.css                        |  4 +
 12 files changed, 133 insertions(+), 53 deletions(-)

diff --git a/cypress/config/settings.cypress.json b/cypress/config/settings.cypress.json
index 45e38a29e..8e529c3d3 100644
--- a/cypress/config/settings.cypress.json
+++ b/cypress/config/settings.cypress.json
@@ -7,6 +7,7 @@
     "applicationTitle": "Overseerr",
     "applicationUrl": "",
     "csrfProtection": false,
+    "cspFrameAncestorDomains": "",
     "cacheImages": false,
     "defaultPermissions": 32,
     "defaultQuotas": {
diff --git a/overseerr-api.yml b/overseerr-api.yml
index 96a4520a7..dafb7602f 100644
--- a/overseerr-api.yml
+++ b/overseerr-api.yml
@@ -168,6 +168,9 @@ components:
         csrfProtection:
           type: boolean
           example: false
+        cspFrameAncestorDomains:
+          type: string
+          example: 'example.com'
         hideAvailable:
           type: boolean
           example: false
diff --git a/package.json b/package.json
index 9ce9330f8..fd24e7b1f 100644
--- a/package.json
+++ b/package.json
@@ -61,6 +61,7 @@
     "express-session": "1.17.3",
     "formik": "^2.4.6",
     "gravatar-url": "3.1.0",
+    "helmet": "^7.1.0",
     "lodash": "4.17.21",
     "mime": "3",
     "next": "^14.2.4",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 7391a775a..4b7dfcfe5 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -95,6 +95,9 @@ importers:
       gravatar-url:
         specifier: 3.1.0
         version: 3.1.0
+      helmet:
+        specifier: ^7.1.0
+        version: 7.1.0
       lodash:
         specifier: 4.17.21
         version: 4.17.21
@@ -5292,6 +5295,10 @@ packages:
     resolution: {integrity: sha512-F/1DnUGPopORZi0ni+CvrCgHQ5FyEAHRLSApuYWMmrbSwoN2Mn/7k+Gl38gJnR7yyDZk6WLXwiGod1JOWNDKGw==}
     hasBin: true
 
+  helmet@7.1.0:
+    resolution: {integrity: sha512-g+HZqgfbpXdCkme/Cd/mZkV0aV3BZZZSugecH03kl38m/Kmdx8jKjBikpDj2cr+Iynv4KpYEviojNdTJActJAg==}
+    engines: {node: '>=16.0.0'}
+
   hermes-estree@0.19.1:
     resolution: {integrity: sha512-daLGV3Q2MKk8w4evNMKwS8zBE/rcpA800nu1Q5kM08IKijoSnPe9Uo1iIxzPKRkn95IxxsgBMPeYHt3VG4ej2g==}
 
@@ -15595,6 +15602,8 @@ snapshots:
 
   he@1.2.0: {}
 
+  helmet@7.1.0: {}
+
   hermes-estree@0.19.1: {}
 
   hermes-estree@0.20.1: {}
diff --git a/server/index.ts b/server/index.ts
index 4ccc6fed1..58a64ec36 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -32,6 +32,7 @@ import express from 'express';
 import * as OpenApiValidator from 'express-openapi-validator';
 import type { Store } from 'express-session';
 import session from 'express-session';
+import helmet from 'helmet';
 import next from 'next';
 import dns from 'node:dns';
 import net from 'node:net';
@@ -159,6 +160,28 @@ app
       });
     }
 
+    // Setup Content-Security-Policy
+    server.use(
+      helmet.contentSecurityPolicy({
+        useDefaults: false,
+        directives: {
+          'default-src': ["'self'", "'unsafe-inline'"],
+          'script-src': [
+            "'self'",
+            "'unsafe-inline'",
+            ...(dev ? ["'unsafe-eval'"] : []),
+          ],
+          'img-src': ["'self'", "'unsafe-inline'", 'data:', 'blob:', '*'],
+          'frame-ancestors': [
+            "'self'",
+            ...(settings.main.cspFrameAncestorDomains
+              ? [settings.main.cspFrameAncestorDomains]
+              : []),
+          ],
+        },
+      })
+    );
+
     // Set up sessions
     const sessionRespository = getRepository(Session);
     server.use(
@@ -170,8 +193,12 @@ app
         cookie: {
           maxAge: 1000 * 60 * 60 * 24 * 30,
           httpOnly: true,
-          sameSite: settings.main.csrfProtection ? 'strict' : 'lax',
-          secure: 'auto',
+          sameSite: settings.main.csrfProtection
+            ? 'strict'
+            : settings.main.cspFrameAncestorDomains
+            ? 'none'
+            : 'lax',
+          secure: settings.main.cspFrameAncestorDomains ? true : 'auto',
         },
         store: new TypeormStore({
           cleanupLimit: 2,
diff --git a/server/lib/settings/index.ts b/server/lib/settings/index.ts
index 074a4fcdc..6f7e7e1f5 100644
--- a/server/lib/settings/index.ts
+++ b/server/lib/settings/index.ts
@@ -104,6 +104,7 @@ export interface MainSettings {
   applicationTitle: string;
   applicationUrl: string;
   csrfProtection: boolean;
+  cspFrameAncestorDomains: string;
   cacheImages: boolean;
   defaultPermissions: number;
   defaultQuotas: {
@@ -310,6 +311,7 @@ class Settings {
         applicationTitle: 'Jellyseerr',
         applicationUrl: '',
         csrfProtection: false,
+        cspFrameAncestorDomains: '',
         cacheImages: false,
         defaultPermissions: Permission.REQUEST,
         defaultQuotas: {
diff --git a/server/utils/restartFlag.ts b/server/utils/restartFlag.ts
index 387ec5ce4..e2f52ebeb 100644
--- a/server/utils/restartFlag.ts
+++ b/server/utils/restartFlag.ts
@@ -13,7 +13,8 @@ class RestartFlag {
 
     return (
       this.settings.csrfProtection !== settings.csrfProtection ||
-      this.settings.trustProxy !== settings.trustProxy
+      this.settings.trustProxy !== settings.trustProxy ||
+      this.settings.cspFrameAncestorDomains !== settings.cspFrameAncestorDomains
     );
   }
 }
diff --git a/src/components/Settings/SettingsMain/index.tsx b/src/components/Settings/SettingsMain/index.tsx
index f7aac0d96..b010dcf01 100644
--- a/src/components/Settings/SettingsMain/index.tsx
+++ b/src/components/Settings/SettingsMain/index.tsx
@@ -44,6 +44,9 @@ const messages = defineMessages('components.Settings.SettingsMain', {
   csrfProtectionTip: 'Set external API access to read-only (requires HTTPS)',
   csrfProtectionHoverTip:
     'Do NOT enable this setting unless you understand what you are doing!',
+  cspFrameAncestorDomains: 'Frame-Ancestor Domains',
+  cspFrameAncestorDomainsTip:
+    'Domains to allow embedding Jellyseer as iframe, object or embed. Incompatible with CSRF-Protection',
   cacheImages: 'Enable Image Caching',
   cacheImagesTip:
     'Cache externally sourced images (requires a significant amount of disk space)',
@@ -130,6 +133,7 @@ const SettingsMain = () => {
             applicationTitle: data?.applicationTitle,
             applicationUrl: data?.applicationUrl,
             csrfProtection: data?.csrfProtection,
+            cspFrameAncestorDomains: data?.cspFrameAncestorDomains,
             hideAvailable: data?.hideAvailable,
             locale: data?.locale ?? 'en',
             region: data?.region,
@@ -151,6 +155,7 @@ const SettingsMain = () => {
                   applicationTitle: values.applicationTitle,
                   applicationUrl: values.applicationUrl,
                   csrfProtection: values.csrfProtection,
+                  cspFrameAncestorDomains: values.cspFrameAncestorDomains,
                   hideAvailable: values.hideAvailable,
                   locale: values.locale,
                   region: values.region,
@@ -318,6 +323,31 @@ const SettingsMain = () => {
                     </Tooltip>
                   </div>
                 </div>
+                <div className="form-row">
+                  <label
+                    htmlFor="cspFrameAncestorDomains"
+                    className="text-label"
+                  >
+                    <span className="mr-2">
+                      {intl.formatMessage(messages.cspFrameAncestorDomains)}
+                    </span>
+                    <SettingsBadge badgeType="advanced" className="mr-2" />
+                    <SettingsBadge badgeType="restartRequired" />
+                    <span className="label-tip">
+                      {intl.formatMessage(messages.cspFrameAncestorDomainsTip)}
+                    </span>
+                  </label>
+                  <div className="form-input-area">
+                    <div className="form-input-field">
+                      <Field
+                        id="cspFrameAncestorDomains"
+                        name="cspFrameAncestorDomains"
+                        type="text"
+                        disabled={values.csrfProtection}
+                      />
+                    </div>
+                  </div>
+                </div>
                 <div className="form-row">
                   <label htmlFor="cacheImages" className="checkbox-label">
                     <span className="mr-2">
diff --git a/src/i18n/locale/en.json b/src/i18n/locale/en.json
index 689e2315c..a2d3b3f83 100644
--- a/src/i18n/locale/en.json
+++ b/src/i18n/locale/en.json
@@ -873,6 +873,8 @@
   "components.Settings.SettingsMain.applicationurl": "Application URL",
   "components.Settings.SettingsMain.cacheImages": "Enable Image Caching",
   "components.Settings.SettingsMain.cacheImagesTip": "Cache externally sourced images (requires a significant amount of disk space)",
+  "components.Settings.SettingsMain.cspFrameAncestorDomains": "Frame-Ancestor Domains",
+  "components.Settings.SettingsMain.cspFrameAncestorDomainsTip": "Domains to allow embedding Jellyseer as iframe, object or embed. Incompatible with CSRF-Protection",
   "components.Settings.SettingsMain.csrfProtection": "Enable CSRF Protection",
   "components.Settings.SettingsMain.csrfProtectionHoverTip": "Do NOT enable this setting unless you understand what you are doing!",
   "components.Settings.SettingsMain.csrfProtectionTip": "Set external API access to read-only (requires HTTPS)",
@@ -1030,6 +1032,7 @@
   "components.Settings.save": "Save Changes",
   "components.Settings.saving": "Saving…",
   "components.Settings.scan": "Sync Libraries",
+  "components.Settings.scanbackground": "Scanning will run in the background. You can continue the setup process in the meantime.",
   "components.Settings.scanning": "Syncing…",
   "components.Settings.serverLocal": "local",
   "components.Settings.serverRemote": "remote",
@@ -1050,6 +1053,7 @@
   "components.Settings.tautulliSettings": "Tautulli Settings",
   "components.Settings.tautulliSettingsDescription": "Optionally configure the settings for your Tautulli server. Jellyseerr fetches watch history data for your Plex media from Tautulli.",
   "components.Settings.timeout": "Timeout",
+  "components.Settings.tip": "Tip",
   "components.Settings.toastPlexConnecting": "Attempting to connect to Plex…",
   "components.Settings.toastPlexConnectingFailure": "Failed to connect to Plex.",
   "components.Settings.toastPlexConnectingSuccess": "Plex connection established successfully!",
@@ -1079,7 +1083,6 @@
   "components.Setup.continue": "Continue",
   "components.Setup.finish": "Finish Setup",
   "components.Setup.finishing": "Finishing…",
-  "components.Setup.scanbackground": "Scanning will run in the background. You can continue the setup process in the meantime.",
   "components.Setup.servertype": "Choose Server Type",
   "components.Setup.setup": "Setup",
   "components.Setup.signin": "Sign In",
@@ -1088,7 +1091,6 @@
   "components.Setup.signinWithJellyfin": "Enter your Jellyfin details",
   "components.Setup.signinWithPlex": "Enter your Plex details",
   "components.Setup.subtitle": "Get started by choosing your media server",
-  "components.Setup.tip": "Tip",
   "components.Setup.welcome": "Welcome to Jellyseerr",
   "components.StatusBadge.managemedia": "Manage {mediaType}",
   "components.StatusBadge.openinarr": "Open in {arr}",
@@ -1233,6 +1235,7 @@
   "components.UserProfile.UserSettings.UserGeneralSettings.saving": "Saving…",
   "components.UserProfile.UserSettings.UserGeneralSettings.seriesrequestlimit": "Series Request Limit",
   "components.UserProfile.UserSettings.UserGeneralSettings.toastSettingsFailure": "Something went wrong while saving settings.",
+  "components.UserProfile.UserSettings.UserGeneralSettings.toastSettingsFailureEmail": "This email is already taken!",
   "components.UserProfile.UserSettings.UserGeneralSettings.toastSettingsSuccess": "Settings saved successfully!",
   "components.UserProfile.UserSettings.UserGeneralSettings.user": "User",
   "components.UserProfile.UserSettings.UserGeneralSettings.validationDiscordId": "You must provide a valid Discord user ID",
@@ -1312,6 +1315,7 @@
   "components.UserProfile.seriesrequest": "Series Requests",
   "components.UserProfile.totalrequests": "Total Requests",
   "components.UserProfile.unlimited": "Unlimited",
+  "i18n.addToBlacklist": "Add to Blacklist",
   "i18n.advanced": "Advanced",
   "i18n.all": "All",
   "i18n.approve": "Approve",
diff --git a/src/pages/_app.tsx b/src/pages/_app.tsx
index ba0677c64..923fd2e27 100644
--- a/src/pages/_app.tsx
+++ b/src/pages/_app.tsx
@@ -17,11 +17,13 @@ import { MediaServerType } from '@server/constants/server';
 import type { PublicSettingsResponse } from '@server/interfaces/api/settingsInterfaces';
 import type { AppInitialProps, AppProps } from 'next/app';
 import App from 'next/app';
+import { Inter } from 'next/font/google';
 import Head from 'next/head';
 import { useEffect, useState } from 'react';
 import { IntlProvider } from 'react-intl';
 import { ToastProvider } from 'react-toast-notifications';
 import { SWRConfig } from 'swr';
+const inter = Inter({ subsets: ['latin'] });
 
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 const loadLocaleData = (locale: AvailableLocale): Promise<any> => {
@@ -136,47 +138,49 @@ const CoreApp: Omit<NextAppComponentType, 'origGetInitialProps'> = ({
   }
 
   return (
-    <SWRConfig
-      value={{
-        fetcher: async (resource, init) => {
-          const res = await fetch(resource, init);
-          if (!res.ok) throw new Error();
-          return await res.json();
-        },
-        fallback: {
-          '/api/v1/auth/me': user,
-        },
-      }}
-    >
-      <LanguageContext.Provider value={{ locale: currentLocale, setLocale }}>
-        <IntlProvider
-          locale={currentLocale}
-          defaultLocale="en"
-          messages={loadedMessages}
-        >
-          <LoadingBar />
-          <SettingsProvider currentSettings={currentSettings}>
-            <InteractionProvider>
-              <ToastProvider components={{ Toast, ToastContainer }}>
-                <Head>
-                  <title>{currentSettings.applicationTitle}</title>
-                  <meta
-                    name="viewport"
-                    content="initial-scale=1, viewport-fit=cover, width=device-width"
-                  ></meta>
-                  <PWAHeader
-                    applicationTitle={currentSettings.applicationTitle}
-                  />
-                </Head>
-                <StatusChecker />
-                <ServiceWorkerSetup />
-                <UserContext initialUser={user}>{component}</UserContext>
-              </ToastProvider>
-            </InteractionProvider>
-          </SettingsProvider>
-        </IntlProvider>
-      </LanguageContext.Provider>
-    </SWRConfig>
+    <main className={inter.className}>
+      <SWRConfig
+        value={{
+          fetcher: async (resource, init) => {
+            const res = await fetch(resource, init);
+            if (!res.ok) throw new Error();
+            return await res.json();
+          },
+          fallback: {
+            '/api/v1/auth/me': user,
+          },
+        }}
+      >
+        <LanguageContext.Provider value={{ locale: currentLocale, setLocale }}>
+          <IntlProvider
+            locale={currentLocale}
+            defaultLocale="en"
+            messages={loadedMessages}
+          >
+            <LoadingBar />
+            <SettingsProvider currentSettings={currentSettings}>
+              <InteractionProvider>
+                <ToastProvider components={{ Toast, ToastContainer }}>
+                  <Head>
+                    <title>{currentSettings.applicationTitle}</title>
+                    <meta
+                      name="viewport"
+                      content="initial-scale=1, viewport-fit=cover, width=device-width"
+                    ></meta>
+                    <PWAHeader
+                      applicationTitle={currentSettings.applicationTitle}
+                    />
+                  </Head>
+                  <StatusChecker />
+                  <ServiceWorkerSetup />
+                  <UserContext initialUser={user}>{component}</UserContext>
+                </ToastProvider>
+              </InteractionProvider>
+            </SettingsProvider>
+          </IntlProvider>
+        </LanguageContext.Provider>
+      </SWRConfig>
+    </main>
   );
 };
 
diff --git a/src/pages/_document.tsx b/src/pages/_document.tsx
index 32df8a3b5..8461168cb 100644
--- a/src/pages/_document.tsx
+++ b/src/pages/_document.tsx
@@ -13,13 +13,7 @@ class MyDocument extends Document {
   render(): JSX.Element {
     return (
       <Html>
-        <Head>
-          <link rel="preconnect" href="https://fonts.gstatic.com" />
-          <link
-            rel="stylesheet"
-            href="https://fonts.googleapis.com/css2?family=Inter:wght@100..900&display=swap"
-          />
-        </Head>
+        <Head></Head>
         <body>
           <Main />
           <NextScript />
diff --git a/src/styles/globals.css b/src/styles/globals.css
index 1e99d53df..49db614e8 100644
--- a/src/styles/globals.css
+++ b/src/styles/globals.css
@@ -53,6 +53,10 @@
 }
 
 @layer components {
+  *:disabled {
+    opacity: 0.7;
+  }
+
   .searchbar {
     padding-top: env(safe-area-inset-top);
     height: calc(4rem + env(safe-area-inset-top));