Age | Commit message (Collapse) | Author | Files | Lines |
|
This reverts commit 99ad5995089bace233dac20de28ef021591d89c1.
Reason for revert:
This causes a major regression on the web console. Login page fails to load in chrome, with a content-security-policy error. Reverting to regain stability, then we can reopen with a new patchset.
Change-Id: If75b6614ad4cd9732725893040a85589e0d1bb9a
|
|
This changes the HTTP response header X-Content-Security-Policy
to Content-Security-Policy and changes its value to allow WebSocket
upgrades.
The X-Content-Security-Policy header is deprecated per
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet.
The problem with using the default-src (or connect-src) directive with
the 'self' value when upgrading from https: to wss: is that is blocks
the upgrade. The problem is described here:
https://github.com/w3c/webappsec-csp/issues/7
A similar problem happens with the KVM video (with media-src).
I was unable to find an authoritative fix for this problem.
Tested: pending
Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>
|
|
This commit moves the codebase to the lastest clang-format file from
upstream, as well as clang-format-6.0.
Change-Id: Ice8313468097c0c42317fbb9e10ddf036e8cff4c
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host. Currently
this is disallowed based on the bmcweb security posture.
This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.
Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server
WebUI logged in without issue
Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
This patchset moves bmcweb over to the upstream style naming
conventions for variables, classes, and functions, as well as imposes
the latest clang-format file.
This changeset was mostly built automatically by the included
.clang-tidy file, which has the ability to autoformat and auto rename
variables. At some point in the future I would like to see this in
greater use, but for now, we will impose it on bmcweb, and see how it
goes.
Tested: Code still compiles, and appears to run, although other issues
are possible and likely.
Change-Id: If422a2e36df924e897736b3feffa89f411d9dac1
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
|
|
Change-Id: I86146edde21bac89e6cc30afdd79690e2b0adadd
|
|
Do not merge yet
Change-Id: I38c56844c1b0e3e8e5493c2705e62e6db7ee2102
|
|
|
|
|