[Libreoffice-commits] online.git: wsd/FileServer.cpp
Pranav Kant
pranavk at collabora.co.uk
Wed Apr 12 14:28:53 UTC 2017
wsd/FileServer.cpp | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
New commits:
commit 699e8df9a7f99f59a5366e4f2506a69d71e8de9d
Author: Pranav Kant <pranavk at collabora.co.uk>
Date: Wed Apr 12 19:58:08 2017 +0530
Use CSP without WOPI host too
Fallback from b7eafb1e4a8da6fced02af395581475f0332c2a7
Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index cf9607d0..53583c6f 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -350,24 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "X-XSS-Protection: 1; mode=block\r\n"
<< "Referrer-Policy: no-referrer\r\n";
+ std::ostringstream cspOss;
+ cspOss << "Content-Security-Policy: default-src 'none'; "
+ << "frame-src 'self' blob:; "
+ << "connect-src 'self' " << host << "; "
+ << "script-src 'unsafe-inline' 'self'; "
+ << "style-src 'self' 'unsafe-inline'; "
+ << "font-src 'self' data:; "
+ << "img-src 'self' data:; ";
if (!wopiDomain.empty())
{
// Replaced by frame-ancestors in CSP but some oldies don't know about that
oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
- oss << "Content-Security-Policy: default-src 'none'; "
- << "frame-src 'self' blob:; "
- << "connect-src 'self' " << host << "; "
- << "script-src 'unsafe-inline' 'self'; "
- << "style-src 'self' 'unsafe-inline'; "
- << "font-src 'self' data:; "
- << "img-src 'self' data:; "
- << "frame-ancestors " << wopiDomain << "\r\n";
+ cspOss << "frame-ancestors " << wopiDomain;
}
else
{
oss << "X-Frame-Options: deny\r\n";
}
+ cspOss << "\r\n";
+ // Append CSP to response headers too
+ oss << cspOss.str();
+
// Setup HTTP Public key pinning
if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
{
More information about the Libreoffice-commits
mailing list