Add Content-Security-Policy(CSP) Level2 Directives
Content Security Policy Level2 directives as below,
form-action set to 'none'-No form-submissions to external websites.
frame-ancestors set to 'none' -Preventing framing attacks
(clickjacking, cross-site leaks)
plugin-types set to 'none' -Plugins are not allowed
base-uri set to 'none' -protect against classical stored,reflected,
and some of the DOM XSS attacks.
More Information
<https://cheatsheetseries.owasp.org/cheatsheets/
Content_Security_Policy_Cheat_Sheet.html>
Tested :
Checked the CSP level directives in Chrome/Firefox/Safari Browsers,
webui and webui-vue.
Change-Id: Id823958469fdbb02259fcc24c4e91789c65eec33
Signed-off-by: Basheer Ahmed Muddebihal <basheerx.muddebihal@intel.com>
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index e8cd37a..6cf2689 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -30,10 +30,15 @@
"font-src 'self'; "
"style-src 'self'; "
"script-src 'self'; "
- "connect-src 'self' wss:");
+ "connect-src 'self' wss:; "
+ "form-action 'none'; "
+ "frame-ancestors 'none'; "
+ "plugin-types 'none'; "
+ "base-uri 'none' ");
// The KVM currently needs to load images from base64 encoded
// strings. img-src 'self' data: is used to allow that.
- // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
+ // https://stackoverflow.com/questions/18447970/content-security-polic
+ // y-data-not-working-for-base64-images-in-chrome-28
}
else
{
@@ -44,7 +49,11 @@
"font-src *; "
"style-src *; "
"script-src *; "
- "connect-src *");
+ "connect-src *; "
+ "form-action *; "
+ "frame-ancestors *; "
+ "plugin-types *; "
+ "base-uri *");
const std::string_view origin = req.getHeaderValue("Origin");
res.addHeader(bf::access_control_allow_origin, origin);