From fd828baf872f3a3d10ae626d4e68509f31b30384 Mon Sep 17 00:00:00 2001
From: Ed Tanous <ed.tanous@intel.com>
Date: Thu, 9 Aug 2018 10:58:08 -0700
Subject: Implement XSS override

There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host.  Currently
this is disallowed based on the bmcweb security posture.

This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.

Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server

WebUI logged in without issue

Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
---
 include/webserver_common.hpp | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'include/webserver_common.hpp')

diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp
index f0cfe11968..684387da31 100644
--- a/include/webserver_common.hpp
+++ b/include/webserver_common.hpp
@@ -19,6 +19,6 @@
 #include "token_authorization_middleware.hpp"
 #include "webserver_common.hpp"
 
-using CrowApp = crow::App<crow::persistent_data::Middleware,
-                          crow::token_authorization::Middleware,
-                          crow::SecurityHeadersMiddleware>;
+using CrowApp = crow::App<crow::SecurityHeadersMiddleware,
+                          crow::persistent_data::Middleware,
+                          crow::token_authorization::Middleware>;
-- 
cgit v1.2.3