Remove XSS prevention code

This feature was created for a time before webpack had a built in proxy,
and to debug the UI required setting specific flags.  The webpack proxy
solves this problem in a much better way, by proxying everything.

This commit is one piece in the solving a use after free bug.  Removing
this allows us to no longer have to cache the origin header [1], which
is only used in this mode.

Tested: Code compiles.

[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850

Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3
Signed-off-by: Ed Tanous <ed@tanous.net>

6 files changed, 14 insertions, 83 deletions

diff --git a/config/bmcweb_config.h.in b/config/bmcweb_config.h.in
index d3b174c470..a8ae29ef91 100644
--- a/config/bmcweb_config.h.in
+++ b/config/bmcweb_config.h.in
@@ -4,9 +4,6 @@
 #include <cstddef>
 
 // clang-format off
-constexpr const int bmcwebInsecureDisableXssPrevention =
-    @BMCWEB_INSECURE_DISABLE_XSS_PREVENTION@;
-
 constexpr const bool bmcwebInsecureEnableQueryParams = @BMCWEB_INSECURE_ENABLE_QUERY_PARAMS@ == 1;
 
 constexpr const size_t bmcwebHttpReqBodyLimitMb = @BMCWEB_HTTP_REQ_BODY_LIMIT_MB@;
diff --git a/config/meson.build b/config/meson.build
index 1c6f78a999..26c9bd4b3a 100644
--- a/config/meson.build
+++ b/config/meson.build
@@ -2,8 +2,6 @@
 
 conf_data = configuration_data()
 conf_data.set('BMCWEB_HTTP_REQ_BODY_LIMIT_MB', get_option('http-body-limit'))
-xss_enabled = get_option('insecure-disable-xss')
-conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled.allowed())
 enable_redfish_query = get_option('insecure-enable-redfish-query')
 conf_data.set10('BMCWEB_INSECURE_ENABLE_QUERY_PARAMS', enable_redfish_query.allowed())
 # enable_redfish_aggregation = get_option('redfish-aggregation')
diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp
deleted file mode 100644
index b7272229b1..0000000000
--- a/include/cors_preflight.hpp
+++ /dev/null
@@ -1,19 +0,0 @@
-#pragma once
-
-#include "app.hpp"
-#include "http_request.hpp"
-#include "http_response.hpp"
-
-namespace cors_preflight
-{
-inline void requestRoutes(App& app)
-{
-    BMCWEB_ROUTE(app, "<str>")
-        .methods(boost::beast::http::verb::options)(
-            [](const crow::Request& /*req*/,
-               const std::shared_ptr<bmcweb::AsyncResp>&, const std::string&) {
-        // An empty body handler that simply returns the headers bmcweb
-        // uses This allows browsers to do their CORS preflight checks
-    });
-}
-} // namespace cors_preflight
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index a9c3fc419a..c0855f439d 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -58,51 +58,19 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
         res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
         res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
         res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
-        if (bmcwebInsecureDisableXssPrevention == 0)
-        {
-            res.addHeader("Content-Security-Policy", "default-src 'none'; "
-                                                     "img-src 'self' data:; "
-                                                     "font-src 'self'; "
-                                                     "style-src 'self'; "
-                                                     "script-src 'self'; "
-                                                     "connect-src 'self' wss:; "
-                                                     "form-action 'none'; "
-                                                     "frame-ancestors 'none'; "
-                                                     "object-src 'none'; "
-                                                     "base-uri 'none' ");
-            // The KVM currently needs to load images from base64 encoded
-            // strings. img-src 'self' data: is used to allow that.
-            // https://stackoverflow.com/questions/18447970/content-security-polic
-            // y-data-not-working-for-base64-images-in-chrome-28
-        }
-        else
-        {
-            // If XSS is disabled, we need to allow loading from addresses
-            // other than self, as the BMC will be hosted elsewhere.
-            res.addHeader("Content-Security-Policy", "default-src 'none'; "
-                                                     "img-src * data:; "
-                                                     "font-src *; "
-                                                     "style-src *; "
-                                                     "script-src *; "
-                                                     "connect-src *; "
-                                                     "form-action *; "
-                                                     "frame-ancestors *; "
-                                                     "object-src *; "
-                                                     "base-uri *");
-
-            std::string_view origin = req.getHeaderValue("Origin");
-            res.addHeader(bf::access_control_allow_origin, origin);
-            res.addHeader(bf::access_control_allow_methods, "GET, "
-                                                            "POST, "
-                                                            "PUT, "
-                                                            "PATCH, "
-                                                            "DELETE");
-            res.addHeader(bf::access_control_allow_credentials, "true");
-            res.addHeader(bf::access_control_allow_headers, "Origin, "
-                                                            "Content-Type, "
-                                                            "Accept, "
-                                                            "Cookie, "
-                                                            "X-XSRF-TOKEN");
-        }
+        res.addHeader("Content-Security-Policy", "default-src 'none'; "
+                                                 "img-src 'self' data:; "
+                                                 "font-src 'self'; "
+                                                 "style-src 'self'; "
+                                                 "script-src 'self'; "
+                                                 "connect-src 'self' wss:; "
+                                                 "form-action 'none'; "
+                                                 "frame-ancestors 'none'; "
+                                                 "object-src 'none'; "
+                                                 "base-uri 'none' ");
+        // The KVM currently needs to load images from base64 encoded
+        // strings. img-src 'self' data: is used to allow that.
+        // https://stackoverflow.com/questions/18447970/content-security-polic
+        // y-data-not-working-for-base64-images-in-chrome-28
     }
 }
diff --git a/meson_options.txt b/meson_options.txt
index 39a410bc08..d10d1b3dde 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -316,13 +316,6 @@ option(
 )
 
 option(
-    'insecure-disable-xss',
-    type: 'feature',
-    value: 'disabled',
-    description: 'Disable XSS preventions'
-)
-
-option(
     'insecure-tftp-update',
     type: 'feature',
     value: 'disabled',
diff --git a/src/webserver_run.cpp b/src/webserver_run.cpp
index bb037232aa..f02ead96b9 100644
--- a/src/webserver_run.cpp
+++ b/src/webserver_run.cpp
@@ -3,7 +3,6 @@
 #include "bmcweb_config.h"
 
 #include "app.hpp"
-#include "cors_preflight.hpp"
 #include "dbus_monitor.hpp"
 #include "dbus_singleton.hpp"
 #include "event_service_manager.hpp"
@@ -81,11 +80,6 @@ int run()
     crow::google_api::requestRoutes(app);
 #endif
 
-    if (bmcwebInsecureDisableXssPrevention != 0)
-    {
-        cors_preflight::requestRoutes(app);
-    }
-
     crow::login_routes::requestRoutes(app);
 
 #ifdef BMCWEB_ENABLE_VM_NBDPROXY