Browse Source

Revise CSP header

The majority of the CSP is tuned for built-in WebUI, it may not be
suitable for alternative UI.

Also add QLatin1String to strings. This code path is called repeatedly,
it is worth adding QLatin1String to squeeze out the last bit of
performance.
adaptive-webui-19844
Chocobo1 6 years ago
parent
commit
c1912e17c1
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
  1. 27
      src/webui/webapplication.cpp
  2. 1
      src/webui/webapplication.h

27
src/webui/webapplication.cpp

@ -457,6 +457,13 @@ void WebApplication::configure()
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled(); m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled(); m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
m_contentSecurityPolicy =
(m_isAltUIUsed
? QLatin1String("")
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
} }
void WebApplication::registerAPIController(const QString &scope, APIController *controller) void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -559,21 +566,17 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
print(error.message(), Http::CONTENT_TYPE_TXT); print(error.message(), Http::CONTENT_TYPE_TXT);
} }
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"); if (m_isClickjackingProtectionEnabled)
if (m_isClickjackingProtectionEnabled) { header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';");
}
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
if (!m_isAltUIUsed) if (!m_isAltUIUsed)
header(Http::HEADER_REFERRER_POLICY, "same-origin"); header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
if (!m_contentSecurityPolicy.isEmpty())
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
return response(); return response();
} }

1
src/webui/webapplication.h

@ -157,4 +157,5 @@ private:
bool m_isCSRFProtectionEnabled; bool m_isCSRFProtectionEnabled;
bool m_isHostHeaderValidationEnabled; bool m_isHostHeaderValidationEnabled;
bool m_isHttpsEnabled; bool m_isHttpsEnabled;
QString m_contentSecurityPolicy;
}; };

Loading…
Cancel
Save