diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2019-09-24 00:06:03 +0300 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2019-10-12 00:13:40 +0300 |
| commit | a3268f98f308ca7c8660b1ace44d5b9a40be204b (patch) | |
| tree | 7f5507905e8a0fd984cd5f790c119b1c382bd9a9 /include | |
| parent | cb103130e18689b9a8e15284f930606d512328cd (diff) | |
| download | bmcweb-a3268f98f308ca7c8660b1ace44d5b9a40be204b.tar.xz | |
Fix content-security-policy when XSS is disabled
Content-Security-Policy is a bit odd when loading from another source.
Technically, everything is cross site when in a debug context, so
blocking cross site scripting in this case is a bit non-sensical.
Tested:
This was reported to me, but I was unable to reproduce, so no way to
really test. Pushing for someone else to be able to test first, then
will update this once done.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I9ae125a5577c43164d5b3b1280b783336fbfec71
Diffstat (limited to 'include')
| -rw-r--r-- | include/security_headers_middleware.hpp | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 83df24c194..a89acaa603 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -37,6 +37,11 @@ struct SecurityHeadersMiddleware res.addHeader(bf::pragma, "no-cache"); res.addHeader(bf::cache_control, "no-Store,no-Cache"); + res.addHeader("X-XSS-Protection", "1; " + "mode=block"); + res.addHeader("X-Content-Type-Options", "nosniff"); + +#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION res.addHeader("Content-Security-Policy", "default-src 'none'; " "img-src 'self' data:; " "font-src 'self'; " @@ -47,13 +52,18 @@ struct SecurityHeadersMiddleware // strings. img-src 'self' data: is used to allow that. // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 - res.addHeader("X-XSS-Protection", "1; " - "mode=block"); - res.addHeader("X-Content-Type-Options", "nosniff"); +#else + // If XSS is disabled, we need to allow loading from addresses other + // than self, as the BMC will be hosted elsewhere. + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src *; " + "font-src *; " + "style-src *; " + "script-src *; " + "connect-src *"); -#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION - res.addHeader(bf::access_control_allow_origin, - req.getHeaderValue("Origin")); + const std::string_view origin = req.getHeaderValue("Origin"); + res.addHeader(bf::access_control_allow_origin, origin); res.addHeader(bf::access_control_allow_methods, "GET, " "POST, " "PUT, " |