From bdd5ba3e9bd92017fc6e74bf3ae3a9913a43b7f0 Mon Sep 17 00:00:00 2001
From: Quentin Duchemin <quentinduchemin@tuta.io>
Date: Tue, 1 Dec 2020 20:13:06 +0100
Subject: [PATCH] [Peertube] Put CSP for iframe and CORS headers in file for
 re-use

---
 pica-traefik/traefik_dynamic.toml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/pica-traefik/traefik_dynamic.toml b/pica-traefik/traefik_dynamic.toml
index e13177a..d6c41b4 100644
--- a/pica-traefik/traefik_dynamic.toml
+++ b/pica-traefik/traefik_dynamic.toml
@@ -12,7 +12,6 @@
 
 [http]
   [http.middlewares.hardening.headers]
-    addVaryHeader = true
     browserXssFilter = true
     contentTypeNosniff = true
     forceSTSHeader = true
@@ -26,3 +25,10 @@
 
   [http.middlewares.compression.compress]
     excludedContentTypes = ["text/event-stream"]
+
+  [http.middlewares.allowFrameAndCORS.headers]
+    contentSecurityPolicy = "frame-ancestors *"
+    accessControlAllowHeaders = ["*"]
+    accessControlAllowMethods = ["GET", "POST", "OPTIONS"]
+    accessControlAllowOriginList = ["*"]
+    accessControlExposeHeaders = ["*"]