Merge pull request #9013 from Piccirello/strengthen-csp

More restrictive Content Security Policy
7 years ago · 5f8feec1c1
3 changed files with 9 additions and 4 deletions
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -432,6 +432,7 @@ void WebApplication::configure()
				@@ -432,6 +432,7 @@ void WebApplication::configure()

    m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
    m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
+    m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
 }

 void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
				@@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
    header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
    header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");

-    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
+    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
    if (m_isClickjackingProtectionEnabled) {
        header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
        csp += QLatin1String(" frame-ancestors 'self';");
    }
+    if (m_isHttpsEnabled) {
+        csp += QLatin1String(" upgrade-insecure-requests;");
+    }

    header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

--- a/src/webui/webapplication.h
+++ b/src/webui/webapplication.h
@ -146,4 +146,5 @@ private:
				@@ -146,4 +146,5 @@ private:
    // security related
    bool m_isClickjackingProtectionEnabled;
    bool m_isCSRFProtectionEnabled;
+    bool m_isHttpsEnabled;
 };
--- a/src/webui/www/private/preferences_content.html
+++ b/src/webui/www/private/preferences_content.html
@ -733,9 +733,9 @@
				@@ -733,9 +733,9 @@

    // Web UI tab
    updateHttpsSettings = function() {
-        var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked');
-        $('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled);
-        $('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled);
+        var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
+        $('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled);
+        $('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled);
    };

    updateBypasssAuthSettings = function() {