Add form-action to CSP

This option restricts all form submissions to the WebUI's origin. qBittorrent only ever submits forms to the origin, so this is intended as a security measure.
2025-03-13 05:41:17 +00:00 · 2018-05-31 00:51:48 -04:00 · 2018-05-31 00:51:48 -04:00 · 43656aaa1e
commit 43656aaa1e
parent 8f98f87d12
1 changed files with 1 additions and 1 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -534,7 +534,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
    header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
    header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");

-    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
+    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
    if (m_isClickjackingProtectionEnabled) {
        header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
        csp += QLatin1String(" frame-ancestors 'self';");