From a5c2fdebd4718c1f9cb63a9050a93d233aeb01ab Mon Sep 17 00:00:00 2001
From: Benedikt Kulmann <benedikt@kulmann.biz>
Date: Mon, 27 Jun 2022 10:18:46 +0200
Subject: [PATCH] Allow self for iframes

---
 changelog/unreleased/fix-csp-silent-refresh.md | 6 ++++++
 services/web/pkg/middleware/silentrefresh.go   | 1 +
 2 files changed, 7 insertions(+)
 create mode 100644 changelog/unreleased/fix-csp-silent-refresh.md

diff --git a/changelog/unreleased/fix-csp-silent-refresh.md b/changelog/unreleased/fix-csp-silent-refresh.md
new file mode 100644
index 00000000000..3b6f338d371
--- /dev/null
+++ b/changelog/unreleased/fix-csp-silent-refresh.md
@@ -0,0 +1,6 @@
+Bugfix: CSP rules for silent token refresh in iframe
+
+When renewing the access token silently web needs to be opened in an iframe. This was previously blocked by a restrictive iframe CSP rule in the `Secure` middleware and has now been fixed by allow `self` for iframes.
+
+https://github.com/owncloud/ocis/pull/4031
+https://github.com/owncloud/web/issues/7030
diff --git a/services/web/pkg/middleware/silentrefresh.go b/services/web/pkg/middleware/silentrefresh.go
index 84fb50934bf..fa2033fc318 100644
--- a/services/web/pkg/middleware/silentrefresh.go
+++ b/services/web/pkg/middleware/silentrefresh.go
@@ -8,6 +8,7 @@ import (
 func SilentRefresh(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.Header().Set("X-Frame-Options", "SAMEORIGIN")
+		w.Header().Set("Content-Security-Policy", "frame-ancestors 'self'")
 		next.ServeHTTP(w, r)
 	})
 }