Commit graph

29 commits

Author SHA1 Message Date
Pranav Kant
1ca873d57e security: X-XSS-Protection header
Change-Id: I050cba3ad8aeedaefa773d78254a3a37a7ddef30
2017-04-09 23:32:06 +05:30
Pranav Kant
61b7112aa7 security: X-Content-Type-Options: nosniff
Don't think it is necessary/useful to have this header at other places.
This is the most important and perhaps the only where presence of this
header is required and seems sensible to prevent potential attacks.

Change-Id: Iad318e4b83264ac83620b86a40a49e7384e4015e
2017-04-09 23:32:06 +05:30
Pranav Kant
df8ac5f33e wsd: Only set these headers if its WOPI
Change-Id: I1ccedc9828a724b55f8642aaa2b934c37f49a4dd
2017-04-09 23:32:06 +05:30
Pranav Kant
1a1a3ebb3c wsd: Fileserver cleanup
Remove unnecessary checks

Rename preprocessFile -> preprocessAndSendLoleafletHtml and
Rename isAdminLoggedIn -> tryAdminLogin
so that their name matches the actual reality of what these
function really does.

Change-Id: I549eae31f8ab0a320bb3ff8ecd17a282b8f91e1a
2017-04-07 13:46:04 +05:30
Pranav Kant
1614f8d417 security: Mention X-Frame-Options too for ie/edge
ie/edge ignores frame-ancestor directive of CSP (yet). Mention X-Frame-Options
for them. Similary, X-Frame-Options allow-from attribute is not
supported by Chrome:
(see https://bugs.chromium.org/p/chromium/issues/detail?id=511521)
In that case, we already have frame-ancestor CSP directive for it.

Change-Id: Ide00c4db88c438de5e9c679360b3da6f4eb4a1be
2017-04-07 13:46:04 +05:30
Pranav Kant
ffc5d516b4 security: CSP: Add frame-ancestor directive
Block embedding LibreOffice Online is frames of different origin.

Change-Id: If3e04a0704e42853dc757b4be1f30fc22b8b33e4
2017-04-07 13:46:04 +05:30
dewana-dewan
4322045667 tdf#106579 - serving gzipped file content
Change-Id: I320b22babf1bf65a0f1d4b1809a6ffb1f5ec8344
2017-03-30 12:09:12 +01:00
Michael Meeks
e7ebe0fdaa remove obsolete Poco headers, and Poco SSL pieces. 2017-03-16 18:03:23 +00:00
Michael Meeks
97cb6597c8 Admin: don't set 'secure' on auth cookie for http.
Also tweak paths to accomodate bundlification, apparently un-necessary
in secure cookie mode, interestingly.
2017-03-16 16:44:27 +00:00
Michael Meeks
f392d9e6f0 Move http serving into socket impl.
Avoid caching headers with parameter, and add Date: parameter.
2017-03-15 18:21:59 +00:00
Ashod Nakashian
8b9623010a wsd: sendHttpResponse -> send
Change-Id: I7c94f6d4cd1054ea86585bfcd4079140471f3518
Reviewed-on: https://gerrit.libreoffice.org/35157
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2017-03-14 04:30:55 +00:00
Michael Meeks
fad3a046ae AdminConsole - get credentials sorted, and serve the HTML pieces. 2017-03-13 21:48:19 +00:00
Michael Meeks
71a1e188a7 Handle If-None-Match / ETag (hopefully) - hard to test ... 2017-03-11 22:28:59 +00:00
Michael Meeks
173ca5e3d6 Quote ETag. 2017-03-10 16:42:48 +00:00
Michael Meeks
3b370022c0 Improve state dumping. 2017-03-10 15:37:09 +00:00
Ashod Nakashian
b8af470918 nb: serve files synchronously
As there isn't support (yet) to send files
asynchronously, when the socket native buffer
is small, asynchronous writes naturally return
EWOULDBLOCK. As a temp solution, we send files
synchronously, so there is no need to poll.

This should be replaced witha file-server
polling/serving thread that is dedicated to
sending files only (which closes the connection
when done).

Change-Id: I062fea44bfe54ab8d147b745da97bd499bf00657
2017-03-10 10:47:44 +01:00
Ashod Nakashian
ccdb1bcc6e nb: proper POST body processing
Change-Id: Ic37094e50979e14d2862ae32088295b42d9c4931
2017-03-10 10:47:41 +01:00
Ashod Nakashian
72669bf929 nb: logging
Change-Id: Ia67f746a6c71b4753d04b92472eddf1614c0d337
2017-03-10 10:47:41 +01:00
Ashod Nakashian
925934d09d nb: set the Date in http header
Change-Id: I71e3388c1f204135c6dc72ad27890bffe53792b3
2017-03-10 10:47:41 +01:00
Ashod Nakashian
0759d1afbc nb: http error cases in file server
Change-Id: I81b0ef3f080ba61836d99fbdde0fb94e1a44a625
2017-03-10 10:47:41 +01:00
Ashod Nakashian
1bb29282f1 nb: serve files using non-blocking sockets
Change-Id: I254288980f72f197d29b7b57ec9c88a01a5a1d03
2017-03-10 10:47:40 +01:00
Ashod Nakashian
ba9ffb4775 wsd: include cleanup
Change-Id: Id481cfbab6be12a095918bdc7318fb3584345307
Reviewed-on: https://gerrit.libreoffice.org/32548
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2016-12-31 23:22:15 +00:00
Ashod Nakashian
e1d5bf4ec2 wsd: no need for first foreslash in local path
Since the local path already ends in foreslash,
no need to keep the on in provided by the client.

Change-Id: Ia2bc24c7faa84509f9ec18deefb14cad2858e856
Reviewed-on: https://gerrit.libreoffice.org/32288
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2016-12-21 15:01:39 +00:00
Ashod Nakashian
a3de232c7a wsd: FileServer logging updated
Change-Id: Ia797c6c8f9068805d85f066030f8110f0affb7f4
Reviewed-on: https://gerrit.libreoffice.org/32286
Reviewed-by: Ashod Nakashian <ashnakash@gmail.com>
Tested-by: Ashod Nakashian <ashnakash@gmail.com>
2016-12-21 15:00:52 +00:00
Pranav Kant
39dd5018e2 browser console logging depending on loleaflet_logging prop.
loleaflet_logging defaults to true with compiled with
--enable-debug otherwise false.

Browser will print additional debug info when this property is
set to true.

Change-Id: Id9fabf134bd8d19fa1a09ca8c0987df46d4f1a4c
2016-12-15 16:52:07 +05:30
Andras Timar
0b596ae51d wsd: do not warn about missing access_token_ttl, when there is no access_token
Change-Id: I6ac7014dee21892dfd8b3b594cafe2dc030b6b2a
2016-12-13 09:56:29 +01:00
Andras Timar
708f9be23a wsd: do not log error, when access_token_ttl is not passed 2016-12-12 19:28:37 +01:00
Pranav Kant
dde653f920 tdf#103825: Prompt the user when session is about to expire
Set a timer in loleaflet 15 minutes before access token expiry
date (access_token_ttl value) to prompt the user to save and
refresh the session.

Change-Id: I98c3e47c9b7031e29e002f653d488747b9c17df8
Reviewed-on: https://gerrit.libreoffice.org/31381
Reviewed-by: Jan Holesovsky <kendy@collabora.com>
Tested-by: Jan Holesovsky <kendy@collabora.com>
2016-12-02 12:38:51 +00:00
Michael Meeks
cca657c8f2 Apply the pre-branch rename script to re-organize the source. 2016-11-25 09:58:48 +00:00
Renamed from loolwsd/FileServer.cpp (Browse further)