diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-08-21 22:50:42 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-08-29 19:15:21 +0300 |
| commit | e6de21ad051f226e746f6a522796ef0dace2660b (patch) | |
| tree | 11ed38438cdfc9da41d7438774d63659bfaed03c /include/ast_video_puller.hpp | |
| parent | bc48a175d5cf0b0426a72730e9542042532959cc (diff) | |
| download | bmcweb-e6de21ad051f226e746f6a522796ef0dace2660b.tar.xz | |
Improve the security headers
This patchset consists of two primary changes.
1. Content-Security-Policy is adjusted such that the "default" allowed
source is none, then we explicitly enable the few features we actually
use by setting them to self
2. Updates the XSS variables to simply forward back the hostname given
in the AccessControlAllowOrigin flag, which means that webpack dev
server could be running on any port.
Tested:
Tested IE11, Edge, Firefox, and Chrome for CSP errors. Firefox flags
one error that doesn't seem to effect the webui. All other browsers
load without issue.
Tested launching webpack-dev-server with XSS settings enabled.
Launches without warning on any port
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Id38f607917d19b0106c4c7708c764c45b646891e
Diffstat (limited to 'include/ast_video_puller.hpp')
0 files changed, 0 insertions, 0 deletions