From 699e8df9a7f99f59a5366e4f2506a69d71e8de9d Mon Sep 17 00:00:00 2001 From: Pranav Kant Date: Wed, 12 Apr 2017 19:58:08 +0530 Subject: [PATCH] Use CSP without WOPI host too Fallback from b7eafb1e4a8da6fced02af395581475f0332c2a7 Change-Id: I741a3f2320cfeec2250c10913871cf350861a39d --- wsd/FileServer.cpp | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index cf9607d01..53583c6fa 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -350,24 +350,29 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: << "X-XSS-Protection: 1; mode=block\r\n" << "Referrer-Policy: no-referrer\r\n"; + std::ostringstream cspOss; + cspOss << "Content-Security-Policy: default-src 'none'; " + << "frame-src 'self' blob:; " + << "connect-src 'self' " << host << "; " + << "script-src 'unsafe-inline' 'self'; " + << "style-src 'self' 'unsafe-inline'; " + << "font-src 'self' data:; " + << "img-src 'self' data:; "; if (!wopiDomain.empty()) { // Replaced by frame-ancestors in CSP but some oldies don't know about that oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"; - oss << "Content-Security-Policy: default-src 'none'; " - << "frame-src 'self' blob:; " - << "connect-src 'self' " << host << "; " - << "script-src 'unsafe-inline' 'self'; " - << "style-src 'self' 'unsafe-inline'; " - << "font-src 'self' data:; " - << "img-src 'self' data:; " - << "frame-ancestors " << wopiDomain << "\r\n"; + cspOss << "frame-ancestors " << wopiDomain; } else { oss << "X-Frame-Options: deny\r\n"; } + cspOss << "\r\n"; + // Append CSP to response headers too + oss << cspOss.str(); + // Setup HTTP Public key pinning if (LOOLWSD::isSSLEnabled() && config.getBool("ssl.hpkp[@enable]", false)) {