d4708/qBittorrent
1
0
Fork 0
mirror of https://github.com/d47081/qBittorrent.git synced 2025-01-14 00:37:58 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9013 from Piccirello/strengthen-csp

Browse Source 
More restrictive Content Security Policy
This commit is contained in:
Mike Tzou 2018-06-03 21:43:39 +08:00 committed by GitHub
commit 5f8feec1c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/webui/webapplication.cpp
View File

@ -432,6 +432,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';");
}
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

1
src/webui/webapplication.h
View File

@ -146,4 +146,5 @@ private:
// security related
bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled;
bool m_isHttpsEnabled;
};

6
src/webui/www/private/preferences_content.html
View File

@ -733,9 +733,9 @@
// Web UI tab
updateHttpsSettings = function() {
var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked');
$('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled);
$('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled);
var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
$('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled);
$('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled);
};
updateBypasssAuthSettings = function() {