[Libreoffice-commits] online.git: wsd/FileServer.cpp

Libreoffice Gerrit user logerrit at kemper.freedesktop.org
Sat Dec 22 11:29:33 UTC 2018 

 wsd/FileServer.cpp |    2 --
 1 file changed, 2 deletions(-)

New commits:
commit 58b32282927492cc332f82474439a648e6bb3682
Author:     Miklos Vajna <vmiklos at collabora.com>
AuthorDate: Fri Dec 21 15:47:13 2018 +0100
Commit:     Miklos Vajna <vmiklos at collabora.com>
CommitDate: Sat Dec 22 12:29:12 2018 +0100

    Revert "Always allow frame embedding in debug mode"
    
    This reverts commit 1d9a9e834abb612bbf7b6828802db64e53036723. This
    commit meant that if you hit CSP violations, then 'make run' hides those
    problems and you need a full 'docker' (or similar) setup to see the
    problem, where it's much more painful to debug it.
    
    See commit 6e0d1ad707ef17e2af7413a381179847e5816b7c (document signing:
    whitelist CSP frame-src for doc sign endpoint URL, 2018-12-05) for a
    real-world example where this happened.
    
    Change-Id: Idc14496463f6decd0ad64c3b31758b4f532d66e6
    Reviewed-on: https://gerrit.libreoffice.org/65549
    Reviewed-by: Samuel Mehrbrodt <Samuel.Mehrbrodt at cib.de>
    Reviewed-by: Miklos Vajna <vmiklos at collabora.com>
    Tested-by: Miklos Vajna <vmiklos at collabora.com>

diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 5855491ff..10e963dc8 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -681,7 +681,6 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
            << "font-src 'self' data:; "
            << "object-src blob:; ";
 
-#if !ENABLE_DEBUG // always allow iframe embedding in debug mode
     // Frame ancestors: Allow loolwsd host, wopi host and anything configured.
     std::string configFrameAncestor = config.getString("net.frame_ancestors", "");
     std::string frameAncestors = configFrameAncestor;
@@ -723,7 +722,6 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
     cspOss << "\r\n";
     // Append CSP to response headers too
     oss << cspOss.str();
-#endif
 
     // Setup HTTP Public key pinning
     if ((LOOLWSD::isSSLEnabled() || LOOLWSD::isSSLTermination()) && config.getBool("ssl.hpkp[@enable]", false))

More information about the Libreoffice-commits mailing list