Use CSP without WOPI host too

Fallback from b7eafb1e4a

Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d
This commit is contained in:
Pranav Kant 2017-04-12 19:58:08 +05:30
parent b7eafb1e4a
commit 699e8df9a7

View file

@ -350,24 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "X-XSS-Protection: 1; mode=block\r\n"
<< "Referrer-Policy: no-referrer\r\n";
std::ostringstream cspOss;
cspOss << "Content-Security-Policy: default-src 'none'; "
<< "frame-src 'self' blob:; "
<< "connect-src 'self' " << host << "; "
<< "script-src 'unsafe-inline' 'self'; "
<< "style-src 'self' 'unsafe-inline'; "
<< "font-src 'self' data:; "
<< "img-src 'self' data:; ";
if (!wopiDomain.empty())
{
// Replaced by frame-ancestors in CSP but some oldies don't know about that
oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
oss << "Content-Security-Policy: default-src 'none'; "
<< "frame-src 'self' blob:; "
<< "connect-src 'self' " << host << "; "
<< "script-src 'unsafe-inline' 'self'; "
<< "style-src 'self' 'unsafe-inline'; "
<< "font-src 'self' data:; "
<< "img-src 'self' data:; "
<< "frame-ancestors " << wopiDomain << "\r\n";
cspOss << "frame-ancestors " << wopiDomain;
}
else
{
oss << "X-Frame-Options: deny\r\n";
}
cspOss << "\r\n";
// Append CSP to response headers too
oss << cspOss.str();
// Setup HTTP Public key pinning
if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false))
{