Replace CSP plugin-types directive with object-src

The HTTP Content-Security-Policy (CSP) plugin-types directive has been removed from the specification and is not supported by most browsers. Chrome browser suggests to specify "object-src 'none'" instead to block plugins, so replace it with that directive. Refer https://github.com/w3c/webappsec-csp/issues/394 for details about this change. Tested: * In Chrome 99.0.4844.74, it no longer gives errors about CSP plugin-types directive. * Checked neiter <embed>, <object> or <applet> tags are used in eiter phosphor-webui or webui-vue. * Using webui-vue, KVM and SOL Console works. Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c Signed-off-by: Jiaqing Zhao <jiaqing.zhao@intel.com>
author: Jiaqing Zhao <jiaqing.zhao@intel.com> 2022-03-16 19:18:58 +0300
committer: Jiaqing Zhao <jiaqing.zhao@intel.com> 2022-03-21 04:50:43 +0300
commit: 91ac2e57c416bbdf95fa9242eaf8e5f9e118d5ba (patch)
tree: 367e85b8974a85edfa49445702174c272a601080 /include/security_headers.hpp
parent: 80badf7ceff486ef2bcb912309563919fc5326ea (diff)
download: bmcweb-91ac2e57c416bbdf95fa9242eaf8e5f9e118d5ba.tar.xz
1 files changed, 2 insertions, 2 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index 828a44c2a5..19075fbd73 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -35,7 +35,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
                                                  "connect-src 'self' wss:; "
                                                  "form-action 'none'; "
                                                  "frame-ancestors 'none'; "
-                                                 "plugin-types 'none'; "
+                                                 "object-src 'none'; "
                                                  "base-uri 'none' ");
         // The KVM currently needs to load images from base64 encoded
         // strings. img-src 'self' data: is used to allow that.
@@ -54,7 +54,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]],
                                                  "connect-src *; "
                                                  "form-action *; "
                                                  "frame-ancestors *; "
-                                                 "plugin-types *; "
+                                                 "object-src *; "
                                                  "base-uri *");
 
         const std::string_view origin = req.getHeaderValue("Origin");
author	Jiaqing Zhao <jiaqing.zhao@intel.com>	2022-03-16 19:18:58 +0300
committer	Jiaqing Zhao <jiaqing.zhao@intel.com>	2022-03-21 04:50:43 +0300
commit	91ac2e57c416bbdf95fa9242eaf8e5f9e118d5ba (patch)
tree	367e85b8974a85edfa49445702174c272a601080 /include/security_headers.hpp
parent	80badf7ceff486ef2bcb912309563919fc5326ea (diff)
download	bmcweb-91ac2e57c416bbdf95fa9242eaf8e5f9e118d5ba.tar.xz