diff options
author | Ed Tanous <ed.tanous@intel.com> | 2018-08-09 20:58:08 +0300 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2018-08-15 20:53:41 +0300 |
commit | fd828baf872f3a3d10ae626d4e68509f31b30384 (patch) | |
tree | c6f32ca293d75310212dc2428d8fec4199263a0e /include/webserver_common.hpp | |
parent | 09c9dd01d73b13323a677ab0fd8cb4ff71816c8a (diff) | |
download | bmcweb-fd828baf872f3a3d10ae626d4e68509f31b30384.tar.xz |
Implement XSS override
There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host. Currently
this is disallowed based on the bmcweb security posture.
This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.
Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server
WebUI logged in without issue
Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'include/webserver_common.hpp')
-rw-r--r-- | include/webserver_common.hpp | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp index f0cfe11968..684387da31 100644 --- a/include/webserver_common.hpp +++ b/include/webserver_common.hpp @@ -19,6 +19,6 @@ #include "token_authorization_middleware.hpp" #include "webserver_common.hpp" -using CrowApp = crow::App<crow::persistent_data::Middleware, - crow::token_authorization::Middleware, - crow::SecurityHeadersMiddleware>; +using CrowApp = crow::App<crow::SecurityHeadersMiddleware, + crow::persistent_data::Middleware, + crow::token_authorization::Middleware>; |