mirror of
https://github.com/d47081/qBittorrent.git
synced 2025-01-14 08:48:17 +00:00
Merge pull request #9013 from Piccirello/strengthen-csp
More restrictive Content Security Policy
This commit is contained in:
Mike Tzou
GitHub
commit
5f8feec1c1
@ -432,6 +432,7 @@ void WebApplication::configure()
|
|||||||
|
|
||||||
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
|
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
|
||||||
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
||||||
|
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
|
||||||
}
|
}
|
||||||
|
|
||||||
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
||||||
@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
|
|||||||
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
|
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
|
||||||
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
|
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
|
||||||
|
|
||||||
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
|
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
|
||||||
if (m_isClickjackingProtectionEnabled) {
|
if (m_isClickjackingProtectionEnabled) {
|
||||||
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
|
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
|
||||||
csp += QLatin1String(" frame-ancestors 'self';");
|
csp += QLatin1String(" frame-ancestors 'self';");
|
||||||
}
|
}
|
||||||
|
if (m_isHttpsEnabled) {
|
||||||
|
csp += QLatin1String(" upgrade-insecure-requests;");
|
||||||
|
}
|
||||||
|
|
||||||
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
|
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
|
||||||
|
|
||||||
|
|||||||
@ -146,4 +146,5 @@ private:
|
|||||||
// security related
|
// security related
|
||||||
bool m_isClickjackingProtectionEnabled;
|
bool m_isClickjackingProtectionEnabled;
|
||||||
bool m_isCSRFProtectionEnabled;
|
bool m_isCSRFProtectionEnabled;
|
||||||
|
bool m_isHttpsEnabled;
|
||||||
};
|
};
|
||||||
|
|||||||
@ -733,9 +733,9 @@
|
|||||||
|
|
||||||
// Web UI tab
|
// Web UI tab
|
||||||
updateHttpsSettings = function() {
|
updateHttpsSettings = function() {
|
||||||
var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked');
|
var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked');
|
||||||
$('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled);
|
$('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled);
|
||||||
$('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled);
|
$('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled);
|
||||||
};
|
};
|
||||||
|
|
||||||
updateBypasssAuthSettings = function() {
|
updateBypasssAuthSettings = function() {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user