From e8d378e1672fd5e8aa6afc7a77284d9e96c0b085 Mon Sep 17 00:00:00 2001
From: Chocobo1 <Chocobo1@users.noreply.github.com>
Date: Tue, 29 May 2018 13:40:52 +0800
Subject: [PATCH] Improve WebUI security measures

CSP was erroneously disabled in bad4d94f778a1ceba8a0e16d1836e649d767cca8
when clickjacking protection is off, now it is back.
Also added CSP 'frame-ancestors' directive when clickjacking
protection is enabled.
---
 src/webui/webapplication.cpp | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index bde61c83f..983f9caaf 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -533,11 +533,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
     header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
 
+    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
     if (m_isClickjackingProtectionEnabled) {
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
-        header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
+        csp += QLatin1String(" frame-ancestors 'self';");
     }
 
+    header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
+
     return response();
 }