Implement XSS override

There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host.  Currently
this is disallowed based on the bmcweb security posture.

This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.

Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server

WebUI logged in without issue

Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>

1 files changed, 3 insertions, 3 deletions

diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp
index f0cfe11968..684387da31 100644
--- a/include/webserver_common.hpp
+++ b/include/webserver_common.hpp
@@ -19,6 +19,6 @@
 #include "token_authorization_middleware.hpp"
 #include "webserver_common.hpp"
 
-using CrowApp = crow::App<crow::persistent_data::Middleware,
-                          crow::token_authorization::Middleware,
-                          crow::SecurityHeadersMiddleware>;
+using CrowApp = crow::App<crow::SecurityHeadersMiddleware,
+                          crow::persistent_data::Middleware,
+                          crow::token_authorization::Middleware>;