Update Content-Security-Policy

This changes the HTTP response header X-Content-Security-Policy
to Content-Security-Policy and changes its value to allow WebSocket
upgrades.

The X-Content-Security-Policy header is deprecated per
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet.

The problem with using the default-src (or connect-src) directive with
the 'self' value when upgrading from https: to wss: is that is blocks
the upgrade.  The problem is described here:
https://github.com/w3c/webappsec-csp/issues/7

A similar problem happens with the KVM video (with media-src).

I was unable to find an authoritative fix for this problem.

Tested: pending

Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>

1 files changed, 3 insertions, 2 deletions

diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 561fd81635..04fc913c27 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -18,8 +18,9 @@ static const char* xframeValue = "DENY";
 static const char* xssKey = "X-XSS-Protection";
 static const char* xssValue = "1; mode=block";
 
-static const char* contentSecurityKey = "X-Content-Security-Policy";
-static const char* contentSecurityValue = "default-src 'self'";
+static const char* contentSecurityKey = "Content-Security-Policy";
+static const char* contentSecurityValue =
+    "script-src 'self'; object-src 'self'";
 
 static const char* pragmaKey = "Pragma";
 static const char* pragmaValue = "no-cache";