diff options
Diffstat (limited to 'include')
-rw-r--r-- | include/cors_preflight.hpp | 19 | ||||
-rw-r--r-- | include/security_headers.hpp | 60 |
2 files changed, 14 insertions, 65 deletions
diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp deleted file mode 100644 index b7272229b1..0000000000 --- a/include/cors_preflight.hpp +++ /dev/null @@ -1,19 +0,0 @@ -#pragma once - -#include "app.hpp" -#include "http_request.hpp" -#include "http_response.hpp" - -namespace cors_preflight -{ -inline void requestRoutes(App& app) -{ - BMCWEB_ROUTE(app, "<str>") - .methods(boost::beast::http::verb::options)( - [](const crow::Request& /*req*/, - const std::shared_ptr<bmcweb::AsyncResp>&, const std::string&) { - // An empty body handler that simply returns the headers bmcweb - // uses This allows browsers to do their CORS preflight checks - }); -} -} // namespace cors_preflight diff --git a/include/security_headers.hpp b/include/security_headers.hpp index a9c3fc419a..c0855f439d 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -58,51 +58,19 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], res.addHeader("Cross-Origin-Embedder-Policy", "require-corp"); res.addHeader("Cross-Origin-Opener-Policy", "same-origin"); res.addHeader("Cross-Origin-Resource-Policy", "same-origin"); - if (bmcwebInsecureDisableXssPrevention == 0) - { - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src 'self' data:; " - "font-src 'self'; " - "style-src 'self'; " - "script-src 'self'; " - "connect-src 'self' wss:; " - "form-action 'none'; " - "frame-ancestors 'none'; " - "object-src 'none'; " - "base-uri 'none' "); - // The KVM currently needs to load images from base64 encoded - // strings. img-src 'self' data: is used to allow that. - // https://stackoverflow.com/questions/18447970/content-security-polic - // y-data-not-working-for-base64-images-in-chrome-28 - } - else - { - // If XSS is disabled, we need to allow loading from addresses - // other than self, as the BMC will be hosted elsewhere. - res.addHeader("Content-Security-Policy", "default-src 'none'; " - "img-src * data:; " - "font-src *; " - "style-src *; " - "script-src *; " - "connect-src *; " - "form-action *; " - "frame-ancestors *; " - "object-src *; " - "base-uri *"); - - std::string_view origin = req.getHeaderValue("Origin"); - res.addHeader(bf::access_control_allow_origin, origin); - res.addHeader(bf::access_control_allow_methods, "GET, " - "POST, " - "PUT, " - "PATCH, " - "DELETE"); - res.addHeader(bf::access_control_allow_credentials, "true"); - res.addHeader(bf::access_control_allow_headers, "Origin, " - "Content-Type, " - "Accept, " - "Cookie, " - "X-XSRF-TOKEN"); - } + res.addHeader("Content-Security-Policy", "default-src 'none'; " + "img-src 'self' data:; " + "font-src 'self'; " + "style-src 'self'; " + "script-src 'self'; " + "connect-src 'self' wss:; " + "form-action 'none'; " + "frame-ancestors 'none'; " + "object-src 'none'; " + "base-uri 'none' "); + // The KVM currently needs to load images from base64 encoded + // strings. img-src 'self' data: is used to allow that. + // https://stackoverflow.com/questions/18447970/content-security-polic + // y-data-not-working-for-base64-images-in-chrome-28 } } |