Add CSP head for displaying iframe in rendering file

Author: lunny

modules/markup/renderer.go

@@ -46,7 +46,7 @@ type RenderContext struct {
 	GitRepo       *git.Repository
 	ShaExistCache map[string]bool
 	cancelFn      func()
-	UseIframe     bool
+	AllowIFrame   bool
 }
 
 // Cancel runs any cleanup functions that have been registered for this Ctx
@@ -227,7 +227,7 @@ func (err ErrUnsupportedRenderExtension) Error() string {
 func renderFile(ctx *RenderContext, input io.Reader, output io.Writer) error {
 	extension := strings.ToLower(filepath.Ext(ctx.RelativePath))
 	if renderer, ok := extRenderers[extension]; ok {
-		if renderer.DisplayInIFrame() && ctx.UseIframe {
+		if renderer.DisplayInIFrame() && ctx.AllowIFrame {
 			return renderIFrame(ctx, renderer, input, output)
 		}
 		return render(ctx, renderer, input, output)

routers/web/repo/view.go

@@ -524,12 +524,14 @@ func renderFile(ctx *context.Context, entry *git.TreeEntry, treeLink, rawLink st
 				URLPrefix:    path.Dir(treeLink),
 				Metas:        metas,
 				GitRepo:      ctx.Repo.GitRepo,
-				UseIframe:    true,
+				AllowIFrame:  true, // allow possible iframe from UI
 			}, rd, &result)
 			if err != nil {
 				ctx.ServerError("Render", err)
 				return
 			}
+			// to prevent iframe load third-party url
+			ctx.Resp.Header().Add("Content-Security-Policy", "frame-src "+setting.AppURL)
 			ctx.Data["EscapeStatus"], ctx.Data["FileContent"] = charset.EscapeControlString(result.String())
 		} else if readmeExist && !shouldRenderSource {
 			buf := &bytes.Buffer{}