d4708
/
qBittorrent
mirror of https://github.com/d47081/qBittorrent.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

Improve WebUI security measures 

CSP was erroneously disabled in bad4d94f77
when clickjacking protection is off, now it is back.
Also added CSP 'frame-ancestors' directive when clickjacking
protection is enabled.
adaptive-webui-19844
Chocobo1 6 years ago
parent
1d25d95740
commit
e8d378e167
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
1 changed files with 4 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      src/webui/webapplication.cpp

5
src/webui/webapplication.cpp
Unescape View File

@ -533,11 +533,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons @@ -533,11 +533,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
csp += QLatin1String(" frame-ancestors 'self';");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
return response();
}

Write Preview
Loading…
Cancel
Save