From adf8e9c400e7b7c4e07baa8aad0d1fe1ebe217ce Mon Sep 17 00:00:00 2001
From: Leeland Clenista <leeland@turnkey.io>
Date: Mon, 20 Apr 2026 14:20:58 -0700
Subject: [PATCH 1/2] add frame-ancestors CSP header to export-and-sign iframe

Adds a Content-Security-Policy frame-ancestors header to the port 8086
(export-and-sign) nginx server block, configurable via the
TURNKEY_FRAME_ANCESTORS environment variable. This prevents unauthorized
origins from embedding the iframe and exploiting the shared embedded key
stored in localStorage.

The Dockerfile CMD is updated to run envsubst at startup, substituting
only TURNKEY_FRAME_ANCESTORS so nginx's own $variable references are
left untouched.
---
 Dockerfile | 2 +-
 nginx.conf | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 714ab10..1af53b3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,4 +54,4 @@ EXPOSE 8085/tcp
 
 WORKDIR /usr/share/nginx
 
-CMD ["nginx"]
+CMD ["/bin/sh", "-c", "envsubst '${TURNKEY_FRAME_ANCESTORS}' < /etc/nginx/nginx.conf > /tmp/nginx-final.conf && nginx -c /tmp/nginx-final.conf"]
diff --git a/nginx.conf b/nginx.conf
index 7ea68e7..da0951e 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -72,8 +72,8 @@ http {
     }
     server {
         listen 8086;
-        # optional: add CSP-related configs here later
         root /usr/share/nginx/templated/export-and-sign;
+        add_header Content-Security-Policy "frame-ancestors ${TURNKEY_FRAME_ANCESTORS}";
         location / {
             try_files $uri $uri/ /index.html =404;
         }

From d31912c46c7c1a0ad6fd1f35f6754ec206781435 Mon Sep 17 00:00:00 2001
From: Leeland Clenista <leeland@turnkey.io>
Date: Mon, 20 Apr 2026 15:36:04 -0700
Subject: [PATCH 2/2] default TURNKEY_FRAME_ANCESTORS to 'none' when unset

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 1af53b3..898e128 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -54,4 +54,4 @@ EXPOSE 8085/tcp
 
 WORKDIR /usr/share/nginx
 
-CMD ["/bin/sh", "-c", "envsubst '${TURNKEY_FRAME_ANCESTORS}' < /etc/nginx/nginx.conf > /tmp/nginx-final.conf && nginx -c /tmp/nginx-final.conf"]
+CMD ["/bin/sh", "-c", "TURNKEY_FRAME_ANCESTORS=${TURNKEY_FRAME_ANCESTORS:-'none'} envsubst '${TURNKEY_FRAME_ANCESTORS}' < /etc/nginx/nginx.conf > /tmp/nginx-final.conf && nginx -c /tmp/nginx-final.conf"]