diff options
author | Ed Tanous <ed@tanous.net> | 2024-03-22 02:35:26 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2024-03-22 03:33:25 +0300 |
commit | a10321e7924da96e6a11aa151347edf3314fed1c (patch) | |
tree | fd6f7cc09864f35b91aa49000adddc3d2b0808ef /include | |
parent | e10f0176d66a2737edefec71f40376566769712b (diff) | |
download | bmcweb-a10321e7924da96e6a11aa151347edf3314fed1c.tar.xz |
Fix content-security-policy disable
If one sets the XSS policy disable, and tries to load the webui, they're
met with the following error message:
```
chunk-vendors.6cfb4b74.js:36 Refused to load the image
'data:image/svg+xml;charset=utf-8,%3Csvg
xmlns='http://www.w3.org/2000/svg' width='4' height='5'%3E%3Cpath
fill='%233f3f3f' d='M2 0L0 2h4zm0 5L0 3h4z'/%3E%3C/svg%3E' because it
violates the following Content Security Policy directive: "img-src *".
Note that '*' matches only URLs with network schemes ('http', 'https',
'ws', 'wss'), or URLs whose scheme matches `self`'s scheme. The scheme
'data:' must be added explicitly.
```
Do as it asks, and add data: to the content security policy.
Tested: Browser console no longer shows error when XSS is enabled.
Change-Id: I17f70d7c87a284b33ef6eb5a01a01c23a14898c9
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'include')
-rw-r--r-- | include/security_headers.hpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/include/security_headers.hpp b/include/security_headers.hpp index 236b367fac..9af494d21b 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -82,7 +82,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], // If XSS is disabled, we need to allow loading from addresses other // than self, as the BMC will be hosted elsewhere. res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src *; " + "img-src * data:; " "font-src *; " "style-src *; " "script-src *; " |