Browse Source

Merge pull request #9013 from Piccirello/strengthen-csp

More restrictive Content Security Policy
adaptive-webui-19844
Mike Tzou 7 years ago committed by GitHub
parent
commit
5f8feec1c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
  1. 6
      src/webui/webapplication.cpp
  2. 1
      src/webui/webapplication.h
  3. 6
      src/webui/www/private/preferences_content.html

6
src/webui/webapplication.cpp

@ -432,6 +432,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled(); m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
} }
void WebApplication::registerAPIController(const QString &scope, APIController *controller) void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"); QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
if (m_isClickjackingProtectionEnabled) { if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';"); csp += QLatin1String(" frame-ancestors 'self';");
} }
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

1
src/webui/webapplication.h

@ -146,4 +146,5 @@ private:
// security related // security related
bool m_isClickjackingProtectionEnabled; bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled; bool m_isCSRFProtectionEnabled;
bool m_isHttpsEnabled;
}; };

6
src/webui/www/private/preferences_content.html

@ -733,9 +733,9 @@
// Web UI tab // Web UI tab
updateHttpsSettings = function() { updateHttpsSettings = function() {
var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked'); var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
$('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled); $('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled);
$('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled); $('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled);
}; };
updateBypasssAuthSettings = function() { updateBypasssAuthSettings = function() {

Loading…
Cancel
Save