diff options
author | Joseph Reynolds <jrey@us.ibm.com> | 2018-11-13 22:45:10 +0300 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2018-12-04 21:28:48 +0300 |
commit | 99ad5995089bace233dac20de28ef021591d89c1 (patch) | |
tree | 7d8bd9c558a51b3e44b3ba34e74e0c47535d3aac /include/security_headers_middleware.hpp | |
parent | a29c99760b9358576440221c5956d58c015959e8 (diff) | |
download | bmcweb-99ad5995089bace233dac20de28ef021591d89c1.tar.xz |
Update Content-Security-Policy
This changes the HTTP response header X-Content-Security-Policy
to Content-Security-Policy and changes its value to allow WebSocket
upgrades.
The X-Content-Security-Policy header is deprecated per
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet.
The problem with using the default-src (or connect-src) directive with
the 'self' value when upgrading from https: to wss: is that is blocks
the upgrade. The problem is described here:
https://github.com/w3c/webappsec-csp/issues/7
A similar problem happens with the KVM video (with media-src).
I was unable to find an authoritative fix for this problem.
Tested: pending
Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
Diffstat (limited to 'include/security_headers_middleware.hpp')
-rw-r--r-- | include/security_headers_middleware.hpp | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 561fd81635..04fc913c27 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -18,8 +18,9 @@ static const char* xframeValue = "DENY"; static const char* xssKey = "X-XSS-Protection"; static const char* xssValue = "1; mode=block"; -static const char* contentSecurityKey = "X-Content-Security-Policy"; -static const char* contentSecurityValue = "default-src 'self'"; +static const char* contentSecurityKey = "Content-Security-Policy"; +static const char* contentSecurityValue = + "script-src 'self'; object-src 'self'"; static const char* pragmaKey = "Pragma"; static const char* pragmaValue = "no-cache"; |