[Libreoffice-commits] online.git: wsd/FileServer.cpp

Pranav Kant pranavk at collabora.co.uk
Wed Apr 12 14:28:53 UTC 2017


 wsd/FileServer.cpp |   21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

New commits:
commit 699e8df9a7f99f59a5366e4f2506a69d71e8de9d
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Wed Apr 12 19:58:08 2017 +0530

    Use CSP without WOPI host too
    
    Fallback from b7eafb1e4a8da6fced02af395581475f0332c2a7
    
    Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d

diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index cf9607d0..53583c6f 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -350,24 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
         << "X-XSS-Protection: 1; mode=block\r\n"
         << "Referrer-Policy: no-referrer\r\n";
 
+    std::ostringstream cspOss;
+    cspOss << "Content-Security-Policy: default-src 'none'; "
+           << "frame-src 'self' blob:; "
+           << "connect-src 'self' " << host << "; "
+           << "script-src 'unsafe-inline' 'self'; "
+           << "style-src 'self' 'unsafe-inline'; "
+           << "font-src 'self' data:; "
+           << "img-src 'self' data:; ";
     if (!wopiDomain.empty())
     {
         // Replaced by frame-ancestors in CSP but some oldies don't know about that
         oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
-        oss << "Content-Security-Policy: default-src 'none'; "
-            << "frame-src 'self' blob:; "
-            << "connect-src 'self' " << host << "; "
-            << "script-src 'unsafe-inline' 'self'; "
-            << "style-src 'self' 'unsafe-inline'; "
-            << "font-src 'self' data:; "
-            << "img-src 'self' data:; "
-            << "frame-ancestors " << wopiDomain << "\r\n";
+        cspOss << "frame-ancestors " << wopiDomain;
     }
     else
     {
         oss << "X-Frame-Options: deny\r\n";
     }
 
+    cspOss << "\r\n";
+    // Append CSP to response headers too
+    oss << cspOss.str();
+
     // Setup HTTP Public key pinning
     if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
     {


More information about the Libreoffice-commits mailing list