Browse Source

Improve WebUI security measures

CSP was erroneously disabled in bad4d94f77
when clickjacking protection is off, now it is back.
Also added CSP 'frame-ancestors' directive when clickjacking
protection is enabled.
adaptive-webui-19844
Chocobo1 7 years ago
parent
commit
e8d378e167
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
  1. 5
      src/webui/webapplication.cpp

5
src/webui/webapplication.cpp

@ -533,11 +533,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
if (m_isClickjackingProtectionEnabled) { if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"); csp += QLatin1String(" frame-ancestors 'self';");
} }
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
return response(); return response();
} }

Loading…
Cancel
Save