diff options
| author | Ed Tanous <ed@tanous.net> | 2021-02-07 22:31:07 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2021-02-19 23:40:24 +0300 |
| commit | 0260d9d6b252d5fef81a51d4797e27a6893827f4 (patch) | |
| tree | fbaaae47d3a1ad2997f26b52a6760e1dac5f2eef /include/security_headers.hpp | |
| parent | 71f52d96b51bda2a2f00374237f368e980396692 (diff) | |
| download | bmcweb-0260d9d6b252d5fef81a51d4797e27a6893827f4.tar.xz | |
Fix compile issue on DISABLE_XSS_PREVENTION
Fixes #178
Every few months, this option breaks because of some combination of
compiler options. I'm hoping that this is a more permenant fix, and
will keep it working forever.
Functionally, this commit changes a couple things.
1. It fixes the regression that snuck into this option, by making the
req variable optional using the c++17 [[maybe_unused]] syntax.
2. It promotes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION into the
config.h file, and a constexpr variable rather than a #define. This has
the benefit that both the code paths in question will compiled
regardless of whether or not they're used, thus ensuring they stay
buildable forever. The optimization path will still delete the code
later, but we won't have so many one-off build options breaking. We
should move all the other feature driven #ifdefs to this pattern in the
future.
3. As a mechnaical change to #2, this adds a config.h.in, which delcares
the various variables as their respective constexpr types. This allows
the constants to be used in a cleaner way.
As an aside, at some point, DISABLE_XSS_PREVENTION should really move to
a non-persistent runtime option rather than a compile time option. Too
many people get hung up on having to recompile their BMC, and moving it
to runtime under admin credentials is no more a security risk.
As another aside, we should move all the other #ifdef style options to
this pattern. It seems like it would help with keeping all options
buildable, and is definitely more modern than #ifdefs for features,
especially if they don't require #include changes or linker changes.
Tested:
enabled meson option insecure-disable-xss, and verified code builds and
works again.
Change-Id: Id03faa17cffdbabaf4e5b0d46b24bb58b7f44669
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'include/security_headers.hpp')
| -rw-r--r-- | include/security_headers.hpp | 76 |
1 files changed, 39 insertions, 37 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index 13ec893863..e3c472e519 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -2,7 +2,8 @@ #include <http_response.hpp> -inline void addSecurityHeaders(crow::Response& res) +inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], + crow::Response& res) { /* TODO(ed) these should really check content types. for example, @@ -22,40 +23,41 @@ inline void addSecurityHeaders(crow::Response& res) "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); -#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src 'self' data:; " - "font-src 'self'; " - "style-src 'self'; " - "script-src 'self'; " - "connect-src 'self' wss:"); - // The KVM currently needs to load images from base64 encoded - // strings. img-src 'self' data: is used to allow that. - // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 - -#else - // If XSS is disabled, we need to allow loading from addresses other - // than self, as the BMC will be hosted elsewhere. - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src *; " - "font-src *; " - "style-src *; " - "script-src *; " - "connect-src *"); - - const std::string_view origin = req.getHeaderValue("Origin"); - res.addHeader(bf::access_control_allow_origin, origin); - res.addHeader(bf::access_control_allow_methods, "GET, " - "POST, " - "PUT, " - "PATCH, " - "DELETE"); - res.addHeader(bf::access_control_allow_credentials, "true"); - res.addHeader(bf::access_control_allow_headers, "Origin, " - "Content-Type, " - "Accept, " - "Cookie, " - "X-XSRF-TOKEN"); - -#endif + if (bmcwebInsecureDisableXssPrevention) + { + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src 'self' data:; " + "font-src 'self'; " + "style-src 'self'; " + "script-src 'self'; " + "connect-src 'self' wss:"); + // The KVM currently needs to load images from base64 encoded + // strings. img-src 'self' data: is used to allow that. + // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 + } + else + { + // If XSS is disabled, we need to allow loading from addresses other + // than self, as the BMC will be hosted elsewhere. + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src *; " + "font-src *; " + "style-src *; " + "script-src *; " + "connect-src *"); + + const std::string_view origin = req.getHeaderValue("Origin"); + res.addHeader(bf::access_control_allow_origin, origin); + res.addHeader(bf::access_control_allow_methods, "GET, " + "POST, " + "PUT, " + "PATCH, " + "DELETE"); + res.addHeader(bf::access_control_allow_credentials, "true"); + res.addHeader(bf::access_control_allow_headers, "Origin, " + "Content-Type, " + "Accept, " + "Cookie, " + "X-XSRF-TOKEN"); + } } |