Add mailto: to CSP frame-src directive

paskal · paskal · commit acfc7a29cd48 · 2025-12-04T12:07:12.000+01:00
Allow mailto links on the deleteme page to work without being blocked
by Content Security Policy.
diff --git a/backend/app/rest/api/rest.go b/backend/app/rest/api/rest.go
@@ -631,7 +631,7 @@ func securityHeadersMiddleware(imageProxyEnabled bool, allowedAncestors []string
 				log.Printf("[INFO] frame embedding allowed from %+v only", allowedAncestors)
 				frameAncestors = strings.Join(allowedAncestors, " ")
 			}
-			w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'none'; base-uri 'none'; form-action 'none'; connect-src 'self'; frame-src 'self'; img-src %s; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src data:; object-src 'none'; frame-ancestors %s;", imgSrc, frameAncestors))
+			w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'none'; base-uri 'none'; form-action 'none'; connect-src 'self'; frame-src 'self' mailto:; img-src %s; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src data:; object-src 'none'; frame-ancestors %s;", imgSrc, frameAncestors))
 			w.Header().Set("Permissions-Policy", "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=(), window-management=()")
 			next.ServeHTTP(w, r)
 		})

Original file line number	Diff line number	Diff line change
`@@ -631,7 +631,7 @@ func securityHeadersMiddleware(imageProxyEnabled bool, allowedAncestors []string`
`631`	`631`	`log.Printf("[INFO] frame embedding allowed from %+v only", allowedAncestors)`
`632`	`632`	`frameAncestors = strings.Join(allowedAncestors, " ")`
`633`	`633`	`}`
`634`		`- w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'none'; base-uri 'none'; form-action 'none'; connect-src 'self'; frame-src 'self'; img-src %s; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src data:; object-src 'none'; frame-ancestors %s;", imgSrc, frameAncestors))`
	`634`	`+ w.Header().Set("Content-Security-Policy", fmt.Sprintf("default-src 'none'; base-uri 'none'; form-action 'none'; connect-src 'self'; frame-src 'self' mailto:; img-src %s; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; font-src data:; object-src 'none'; frame-ancestors %s;", imgSrc, frameAncestors))`
`635`	`635`	w.Header().Set("Permissions-Policy", "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), clipboard-read=(), clipboard-write=(), gamepad=(), hid=(), idle-detection=(), interest-cohort=(), serial=(), unload=(), window-management=()")
`636`	`636`	`next.ServeHTTP(w, r)`
`637`	`637`	`})`