[Libreoffice-commits] online.git: Branch 'distro/collabora/collabora-online-2-1' - loleaflet/dist wsd/FileServer.cpp

Wed Apr 12 16:53:23 UTC 2017

loleaflet/dist/loleaflet.html |    7 -------
 wsd/FileServer.cpp            |   15 ++++++++++++++-
 2 files changed, 14 insertions(+), 8 deletions(-)

New commits:
commit 00af954041c72f00e2813f4102fe22b6f52fa946
Author: Pranav Kant <pranavk at collabora.co.uk>
Date:   Wed Apr 12 19:23:35 2017 +0530

    Make CSP work in older browsers
    
    This cherry-pick consists of following commits:
    
    Move CSP to response headers from meta tag in html
    (cherry picked from commit b7eafb1e4a8da6fced02af395581475f0332c2a7)
    
    Use CSP without WOPI host too
    (cherry picked from commit 699e8df9a7f99f59a5366e4f2506a69d71e8de9d)
    
    Change-Id: I7f0d7c294e492b3c69ebea6fbd820d6558b9c3b3
    Reviewed-on: https://gerrit.libreoffice.org/36480
    Reviewed-by: Jan Holesovsky <kendy at collabora.com>
    Tested-by: Jan Holesovsky <kendy at collabora.com>

diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html
index 8b3f794c..bfa9ad3e 100644
--- a/loleaflet/dist/loleaflet.html
+++ b/loleaflet/dist/loleaflet.html
@@ -3,13 +3,6 @@
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <title>Online Editor</title>
 <meta charset="utf-8">
-<meta http-equiv="Content-Security-Policy" content="default-src 'none';
-						    frame-src 'self' blob:;
-						    connect-src 'self' %HOST%;
-						    script-src 'self' 'unsafe-inline';
-						    style-src 'self' 'unsafe-inline';
-						    font-src 'self' data:;
-						    img-src 'self' data:;">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
 <script>
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 8968133b..ca742309 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -350,16 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
         << "X-XSS-Protection: 1; mode=block\r\n"
         << "Referrer-Policy: no-referrer\r\n";
 
+    std::ostringstream cspOss;
+    cspOss << "Content-Security-Policy: default-src 'none'; "
+           << "frame-src 'self' blob:; "
+           << "connect-src 'self' " << host << "; "
+           << "script-src 'unsafe-inline' 'self'; "
+           << "style-src 'self' 'unsafe-inline'; "
+           << "font-src 'self' data:; "
+           << "img-src 'self' data:; ";
     if (!wopiDomain.empty())
     {
+        // Replaced by frame-ancestors in CSP but some oldies don't know about that
         oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
-        oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << "\r\n";
+        cspOss << "frame-ancestors " << wopiDomain;
     }
     else
     {
         oss << "X-Frame-Options: deny\r\n";
     }
 
+    cspOss << "\r\n";
+    // Append CSP to response headers too
+    oss << cspOss.str();
+
     // Setup HTTP Public key pinning
     if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
     {
