diff options
author | Ed Tanous <ed.tanous@intel.com> | 2018-08-09 20:58:08 +0300 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2018-08-15 20:53:41 +0300 |
commit | fd828baf872f3a3d10ae626d4e68509f31b30384 (patch) | |
tree | c6f32ca293d75310212dc2428d8fec4199263a0e | |
parent | 09c9dd01d73b13323a677ab0fd8cb4ff71816c8a (diff) | |
download | bmcweb-fd828baf872f3a3d10ae626d4e68509f31b30384.tar.xz |
Implement XSS override
There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host. Currently
this is disallowed based on the bmcweb security posture.
This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.
Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server
WebUI logged in without issue
Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
-rw-r--r-- | include/security_headers_middleware.hpp | 18 | ||||
-rw-r--r-- | include/webserver_common.hpp | 6 |
2 files changed, 20 insertions, 4 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index f7bc478d97..750f87b719 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -29,7 +29,13 @@ static const char* cacheControlValue = "no-Store,no-Cache"; struct SecurityHeadersMiddleware { struct Context {}; - void beforeHandle(crow::Request& req, Response& res, Context& ctx) {} + void beforeHandle(crow::Request& req, Response& res, Context& ctx) { +#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION + if ("OPTIONS"_method == req.method()) { + res.end(); + } +#endif + } void afterHandle(Request& req, Response& res, Context& ctx) { /* @@ -44,6 +50,16 @@ struct SecurityHeadersMiddleware { res.addHeader(contentSecurityKey, contentSecurityValue); res.addHeader(pragmaKey, pragmaValue); res.addHeader(cacheControlKey, cacheControlValue); + +#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION + + res.addHeader("Access-Control-Allow-Origin", "http://localhost:8080"); + res.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH"); + res.addHeader("Access-Control-Allow-Credentials", "true"); + res.addHeader("Access-Control-Allow-Headers", + "Origin, Content-Type, Accept, Cookie, X-XSRF-TOKEN"); + +#endif } }; } // namespace crow diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp index f0cfe11968..684387da31 100644 --- a/include/webserver_common.hpp +++ b/include/webserver_common.hpp @@ -19,6 +19,6 @@ #include "token_authorization_middleware.hpp" #include "webserver_common.hpp" -using CrowApp = crow::App<crow::persistent_data::Middleware, - crow::token_authorization::Middleware, - crow::SecurityHeadersMiddleware>; +using CrowApp = crow::App<crow::SecurityHeadersMiddleware, + crow::persistent_data::Middleware, + crow::token_authorization::Middleware>; |