diff options
author | Ed Tanous <ed@tanous.net> | 2024-04-14 19:57:09 +0300 |
---|---|---|
committer | Ed Tanous <ed@tanous.net> | 2024-04-23 17:58:29 +0300 |
commit | c056aa7aa2438d16b1a3f1db20e6aac2694ca455 (patch) | |
tree | 7328ae94e1c35298b27d542480d42dcff36d7203 /test/http/http_connection_test.cpp | |
parent | 003301a24bad4cfe066bb1f5720243a3f7c45742 (diff) | |
download | bmcweb-c056aa7aa2438d16b1a3f1db20e6aac2694ca455.tar.xz |
Implement a Content-Security-Policy TODO
This TODO has been in bmcweb for a very long time. Implement it.
W3 sets rules for what security policies apply to which content
types[1]. Reading through this, essentially CSP should only apply to
HTML files.
Tested: Unit tests pass. Webui loads properly. Chrome network window
Shows headers show up as expected.
[1] https://www.w3.org/TR/CSP2/#which-policy-applies
Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'test/http/http_connection_test.cpp')
-rw-r--r-- | test/http/http_connection_test.cpp | 8 |
1 files changed, 0 insertions, 8 deletions
diff --git a/test/http/http_connection_test.cpp b/test/http/http_connection_test.cpp index 4dda70ecf8..caf50c8a62 100644 --- a/test/http/http_connection_test.cpp +++ b/test/http/http_connection_test.cpp @@ -84,17 +84,9 @@ TEST(http_connection, RequestPropogates) "HTTP/1.1 200 OK\r\n" "Connection: close\r\n" "Strict-Transport-Security: max-age=31536000; includeSubdomains\r\n" - "X-Frame-Options: DENY\r\n" "Pragma: no-cache\r\n" "Cache-Control: no-store, max-age=0\r\n" "X-Content-Type-Options: nosniff\r\n" - "Referrer-Policy: no-referrer\r\n" - "Permissions-Policy: accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()\r\n" - "X-Permitted-Cross-Domain-Policies: none\r\n" - "Cross-Origin-Embedder-Policy: require-corp\r\n" - "Cross-Origin-Opener-Policy: same-origin\r\n" - "Cross-Origin-Resource-Policy: same-origin\r\n" - "Content-Security-Policy: default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'\r\n" "Date: TestTime\r\n" "Content-Length: 0\r\n\r\n"; EXPECT_EQ(outStr, expected); |