Fix web UI index path http security headers (qdrant#4517)

* Draft: web-ui root endpoint x-frame-options: deny header * Switch to async * Simplify setting frame options header by using DefaultHeaders --------- Co-authored-by: timvisee <tim@visee.me>
AKJUS · Jun 25, 2024 · 7bacd67 · 7bacd67
1 parent 6a14a4b
commit 7bacd67
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 3 deletions.
diff --git a/src/actix/mod.rs b/src/actix/mod.rs
@@ -14,7 +14,8 @@ use ::api::grpc::models::{ApiResponse, ApiStatus, VersionInfo};
 use actix_cors::Cors;
 use actix_multipart::form::tempfile::TempFileConfig;
 use actix_multipart::form::MultipartFormConfig;
-use actix_web::middleware::{Compress, Condition, Logger};
+use actix_web::http::header::HeaderValue;
+use actix_web::middleware::{Compress, Condition, DefaultHeaders, Logger};
 use actix_web::{error, get, web, App, HttpRequest, HttpResponse, HttpServer, Responder};
 use actix_web_extras::middleware::Condition as ConditionEx;
 use collection::operations::validation;
@@ -183,7 +184,15 @@ pub fn init(
 
             if web_ui_available {
                 app = app.service(
-                    actix_files::Files::new(WEB_UI_PATH, &static_folder).index_file("index.html"),
+                    actix_web::web::scope(WEB_UI_PATH)
+                        // For security reasons, deny embedding the web UI in an iframe
+                        .wrap(
+                            DefaultHeaders::new()
+                                .add(("X-Frame-Options", HeaderValue::from_static("DENY"))),
+                        )
+                        .service(
+                            actix_files::Files::new("/", &static_folder).index_file("index.html"),
+                        ),
                 )
             }
             app

diff --git a/tools/sync-web-ui.sh b/tools/sync-web-ui.sh
@@ -10,7 +10,12 @@ OPENAPI_FILE=${OPENAPI_DIR:-"./docs/redoc/master/openapi.json"}
 # Get latest dist.zip, assume jq is installed
 DOWNLOAD_LINK=$(curl --silent "https://api.github.com/repos/qdrant/qdrant-web-ui/releases/latest" | jq -r '.assets[] | select(.name=="dist-qdrant.zip") | .browser_download_url')
 
-wget -O dist-qdrant.zip $DOWNLOAD_LINK
+if command -v wget &> /dev/null
+then
+    wget -O dist-qdrant.zip $DOWNLOAD_LINK
+else
+    curl -L -o dist-qdrant.zip $DOWNLOAD_LINK
+fi
 
 rm -rf "${STATIC_DIR}/"*
 unzip -o dist-qdrant.zip -d "${STATIC_DIR}"