mirror of
https://github.com/d47081/qBittorrent.git
synced 2025-01-23 21:14:33 +00:00
Revise CSP header
The majority of the CSP is tuned for built-in WebUI, it may not be suitable for alternative UI. Also add QLatin1String to strings. This code path is called repeatedly, it is worth adding QLatin1String to squeeze out the last bit of performance.
This commit is contained in:
parent
7fd30fa90f
commit
c1912e17c1
@ -457,6 +457,13 @@ void WebApplication::configure()
|
|||||||
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
||||||
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
|
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
|
||||||
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
|
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
|
||||||
|
|
||||||
|
m_contentSecurityPolicy =
|
||||||
|
(m_isAltUIUsed
|
||||||
|
? QLatin1String("")
|
||||||
|
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
|
||||||
|
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
|
||||||
|
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
|
||||||
}
|
}
|
||||||
|
|
||||||
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
||||||
@ -559,21 +566,17 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
|
|||||||
print(error.message(), Http::CONTENT_TYPE_TXT);
|
print(error.message(), Http::CONTENT_TYPE_TXT);
|
||||||
}
|
}
|
||||||
|
|
||||||
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
|
header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
|
||||||
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
|
header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
|
||||||
|
|
||||||
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
|
if (m_isClickjackingProtectionEnabled)
|
||||||
if (m_isClickjackingProtectionEnabled) {
|
header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
|
||||||
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
|
|
||||||
csp += QLatin1String(" frame-ancestors 'self';");
|
|
||||||
}
|
|
||||||
if (m_isHttpsEnabled) {
|
|
||||||
csp += QLatin1String(" upgrade-insecure-requests;");
|
|
||||||
}
|
|
||||||
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
|
|
||||||
|
|
||||||
if (!m_isAltUIUsed)
|
if (!m_isAltUIUsed)
|
||||||
header(Http::HEADER_REFERRER_POLICY, "same-origin");
|
header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
|
||||||
|
|
||||||
|
if (!m_contentSecurityPolicy.isEmpty())
|
||||||
|
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
|
||||||
|
|
||||||
return response();
|
return response();
|
||||||
}
|
}
|
||||||
|
@ -157,4 +157,5 @@ private:
|
|||||||
bool m_isCSRFProtectionEnabled;
|
bool m_isCSRFProtectionEnabled;
|
||||||
bool m_isHostHeaderValidationEnabled;
|
bool m_isHostHeaderValidationEnabled;
|
||||||
bool m_isHttpsEnabled;
|
bool m_isHttpsEnabled;
|
||||||
|
QString m_contentSecurityPolicy;
|
||||||
};
|
};
|
||||||
|
Loading…
x
Reference in New Issue
Block a user