[Libreoffice-commits] online.git: loleaflet/dist wsd/FileServer.cpp

Pranav Kant pranavk at collabora.co.uk
Wed Apr 12 13:55:37 UTC 2017 

 loleaflet/dist/loleaflet.html |    7 -------
 wsd/FileServer.cpp            |   10 +++++++++-
 2 files changed, 9 insertions(+), 8 deletions(-)

New commits:
commit b7eafb1e4a8da6fced02af395581475f0332c2a7
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Wed Apr 12 19:23:35 2017 +0530

    Move CSP to response headers from meta tag in html
    
    Some older browsers don't have meta tag support for CSP. Lets put all of
    the CSP in response headers to be compatible with oldies.
    
    Change-Id: I7f0d7c294e492b3c69ebea6fbd820d6558b9c3b3

diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html
index 8b3f794c..bfa9ad3e 100644
--- a/loleaflet/dist/loleaflet.html
+++ b/loleaflet/dist/loleaflet.html
@@ -3,13 +3,6 @@
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <title>Online Editor</title>
 <meta charset="utf-8">
-<meta http-equiv="Content-Security-Policy" content="default-src 'none';
-						    frame-src 'self' blob:;
-						    connect-src 'self' %HOST%;
-						    script-src 'self' 'unsafe-inline';
-						    style-src 'self' 'unsafe-inline';
-						    font-src 'self' data:;
-						    img-src 'self' data:;">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
 <script>
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 96552d40..cf9607d0 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -352,8 +352,16 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
 
     if (!wopiDomain.empty())
     {
+        // Replaced by frame-ancestors in CSP but some oldies don't know about that
         oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
-        oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+        oss << "Content-Security-Policy: default-src 'none'; "
+            << "frame-src 'self' blob:; "
+            << "connect-src 'self' " << host << "; "
+            << "script-src 'unsafe-inline' 'self'; "
+            << "style-src 'self' 'unsafe-inline'; "
+            << "font-src 'self' data:; "
+            << "img-src 'self' data:; "
+            << "frame-ancestors " << wopiDomain << "\r\n";
     }
     else
     {

More information about the Libreoffice-commits mailing list