Use CSP without WOPI host too
Fallback from b7eafb1e4a
Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d
This commit is contained in:
parent
b7eafb1e4a
commit
699e8df9a7
1 changed files with 13 additions and 8 deletions
|
@ -350,24 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
|
|||
<< "X-XSS-Protection: 1; mode=block\r\n"
|
||||
<< "Referrer-Policy: no-referrer\r\n";
|
||||
|
||||
std::ostringstream cspOss;
|
||||
cspOss << "Content-Security-Policy: default-src 'none'; "
|
||||
<< "frame-src 'self' blob:; "
|
||||
<< "connect-src 'self' " << host << "; "
|
||||
<< "script-src 'unsafe-inline' 'self'; "
|
||||
<< "style-src 'self' 'unsafe-inline'; "
|
||||
<< "font-src 'self' data:; "
|
||||
<< "img-src 'self' data:; ";
|
||||
if (!wopiDomain.empty())
|
||||
{
|
||||
// Replaced by frame-ancestors in CSP but some oldies don't know about that
|
||||
oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
|
||||
oss << "Content-Security-Policy: default-src 'none'; "
|
||||
<< "frame-src 'self' blob:; "
|
||||
<< "connect-src 'self' " << host << "; "
|
||||
<< "script-src 'unsafe-inline' 'self'; "
|
||||
<< "style-src 'self' 'unsafe-inline'; "
|
||||
<< "font-src 'self' data:; "
|
||||
<< "img-src 'self' data:; "
|
||||
<< "frame-ancestors " << wopiDomain << "\r\n";
|
||||
cspOss << "frame-ancestors " << wopiDomain;
|
||||
}
|
||||
else
|
||||
{
|
||||
oss << "X-Frame-Options: deny\r\n";
|
||||
}
|
||||
|
||||
cspOss << "\r\n";
|
||||
// Append CSP to response headers too
|
||||
oss << cspOss.str();
|
||||
|
||||
// Setup HTTP Public key pinning
|
||||
if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue