[Libreoffice-commits] online.git: wsd/FileServer.cpp
Libreoffice Gerrit user
logerrit at kemper.freedesktop.org
Wed Dec 5 15:21:02 UTC 2018
wsd/FileServer.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
New commits:
commit 6e0d1ad707ef17e2af7413a381179847e5816b7c
Author: Miklos Vajna <vmiklos at collabora.com>
AuthorDate: Wed Dec 5 16:13:26 2018 +0100
Commit: Miklos Vajna <vmiklos at collabora.com>
CommitDate: Wed Dec 5 16:14:44 2018 +0100
document signing: whitelist CSP frame-src for doc sign endpoint URL
If document signing is enabled in loolwsd.xml, then explicitly whitelist
iframe creation towards the doc sign endpoint server, to avoid
> Refused to frame '...' because it violates the following Content Security Policy directive: "frame-src 'self' blob:".
Note that this happened only in non-debug builds, as we currently don't
send eny Content Security Policy headers in debug builds.
Change-Id: Iee2a0644d67d5803ab3f5c636b8e960fa619792f
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index cd799929f..5855491ff 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -670,9 +670,11 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "X-XSS-Protection: 1; mode=block\r\n"
<< "Referrer-Policy: no-referrer\r\n";
+ // Document signing: if endpoint URL is configured, whitelist that for
+ // iframe purposes.
std::ostringstream cspOss;
cspOss << "Content-Security-Policy: default-src 'none'; "
- << "frame-src 'self' blob:; "
+ << "frame-src 'self' blob: " << documentSigningURL << "; "
<< "connect-src 'self' " << host << "; "
<< "script-src 'unsafe-inline' 'self'; "
<< "style-src 'self' 'unsafe-inline'; "
More information about the Libreoffice-commits
mailing list