diff options
author | Ed Tanous <ed@tanous.net> | 2024-04-22 22:41:06 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2024-04-23 18:04:43 +0300 |
commit | 788fe74859b1fa491053d1fcd8bb32f42e7898b6 (patch) | |
tree | a0f4db776dc71a461ab1adcdee8723e27c451e61 /include | |
parent | c056aa7aa2438d16b1a3f1db20e6aac2694ca455 (diff) | |
download | bmcweb-788fe74859b1fa491053d1fcd8bb32f42e7898b6.tar.xz |
Remove XSS prevention code
This feature was created for a time before webpack had a built in proxy,
and to debug the UI required setting specific flags. The webpack proxy
solves this problem in a much better way, by proxying everything.
This commit is one piece in the solving a use after free bug. Removing
this allows us to no longer have to cache the origin header [1], which
is only used in this mode.
Tested: Code compiles.
[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850
Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/cors_preflight.hpp | 19 | ||||
-rw-r--r-- | include/security_headers.hpp | 60 |
2 files changed, 14 insertions, 65 deletions
diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp deleted file mode 100644 index b7272229b1..0000000000 --- a/include/cors_preflight.hpp +++ /dev/null @@ -1,19 +0,0 @@ -#pragma once - -#include "app.hpp" -#include "http_request.hpp" -#include "http_response.hpp" - -namespace cors_preflight -{ -inline void requestRoutes(App& app) -{ - BMCWEB_ROUTE(app, "<str>") - .methods(boost::beast::http::verb::options)( - [](const crow::Request& /*req*/, - const std::shared_ptr<bmcweb::AsyncResp>&, const std::string&) { - // An empty body handler that simply returns the headers bmcweb - // uses This allows browsers to do their CORS preflight checks - }); -} -} // namespace cors_preflight diff --git a/include/security_headers.hpp b/include/security_headers.hpp index a9c3fc419a..c0855f439d 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -58,51 +58,19 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); - if (bmcwebInsecureDisableXssPrevention == 0) - { - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src 'self' data:; " - "font-src 'self'; " - "style-src 'self'; " - "script-src 'self'; " - "connect-src 'self' wss:; " - "form-action 'none'; " - "frame-ancestors 'none'; " - "object-src 'none'; " - "base-uri 'none' "); - // The KVM currently needs to load images from base64 encoded - // strings. img-src 'self' data: is used to allow that. - // https://stackoverflow.com/questions/18447970/content-security-polic - // y-data-not-working-for-base64-images-in-chrome-28 - } - else - { - // If XSS is disabled, we need to allow loading from addresses - // other than self, as the BMC will be hosted elsewhere. - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src * data:; " - "font-src *; " - "style-src *; " - "script-src *; " - "connect-src *; " - "form-action *; " - "frame-ancestors *; " - "object-src *; " - "base-uri *"); - - std::string_view origin = req.getHeaderValue("Origin"); - res.addHeader(bf::access_control_allow_origin, origin); - res.addHeader(bf::access_control_allow_methods, "GET, " - "POST, " - "PUT, " - "PATCH, " - "DELETE"); - res.addHeader(bf::access_control_allow_credentials, "true"); - res.addHeader(bf::access_control_allow_headers, "Origin, " - "Content-Type, " - "Accept, " - "Cookie, " - "X-XSRF-TOKEN"); - } + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src 'self' data:; " + "font-src 'self'; " + "style-src 'self'; " + "script-src 'self'; " + "connect-src 'self' wss:; " + "form-action 'none'; " + "frame-ancestors 'none'; " + "object-src 'none'; " + "base-uri 'none' "); + // The KVM currently needs to load images from base64 encoded + // strings. img-src 'self' data: is used to allow that. + // https://stackoverflow.com/questions/18447970/content-security-polic + // y-data-not-working-for-base64-images-in-chrome-28 } } |