Remove XSS prevention code
This feature was created for a time before webpack had a built in proxy,
and to debug the UI required setting specific flags. The webpack proxy
solves this problem in a much better way, by proxying everything.
This commit is one piece in the solving a use after free bug. Removing
this allows us to no longer have to cache the origin header [1], which
is only used in this mode.
Tested: Code compiles.
[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850
Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/config/bmcweb_config.h.in b/config/bmcweb_config.h.in
index d3b174c..a8ae29e 100644
--- a/config/bmcweb_config.h.in
+++ b/config/bmcweb_config.h.in
@@ -4,9 +4,6 @@
#include <cstddef>
// clang-format off
-constexpr const int bmcwebInsecureDisableXssPrevention =
- @BMCWEB_INSECURE_DISABLE_XSS_PREVENTION@;
-
constexpr const bool bmcwebInsecureEnableQueryParams = @BMCWEB_INSECURE_ENABLE_QUERY_PARAMS@ == 1;
constexpr const size_t bmcwebHttpReqBodyLimitMb = @BMCWEB_HTTP_REQ_BODY_LIMIT_MB@;
diff --git a/config/meson.build b/config/meson.build
index 1c6f78a..26c9bd4 100644
--- a/config/meson.build
+++ b/config/meson.build
@@ -2,8 +2,6 @@
conf_data = configuration_data()
conf_data.set('BMCWEB_HTTP_REQ_BODY_LIMIT_MB', get_option('http-body-limit'))
-xss_enabled = get_option('insecure-disable-xss')
-conf_data.set10('BMCWEB_INSECURE_DISABLE_XSS_PREVENTION', xss_enabled.allowed())
enable_redfish_query = get_option('insecure-enable-redfish-query')
conf_data.set10('BMCWEB_INSECURE_ENABLE_QUERY_PARAMS', enable_redfish_query.allowed())
# enable_redfish_aggregation = get_option('redfish-aggregation')
diff --git a/include/cors_preflight.hpp b/include/cors_preflight.hpp
deleted file mode 100644
index b727222..0000000
--- a/include/cors_preflight.hpp
+++ /dev/null
@@ -1,19 +0,0 @@
-#pragma once
-
-#include "app.hpp"
-#include "http_request.hpp"
-#include "http_response.hpp"
-
-namespace cors_preflight
-{
-inline void requestRoutes(App& app)
-{
- BMCWEB_ROUTE(app, "<str>")
- .methods(boost::beast::http::verb::options)(
- [](const crow::Request& /*req*/,
- const std::shared_ptr<bmcweb::AsyncResp>&, const std::string&) {
- // An empty body handler that simply returns the headers bmcweb
- // uses This allows browsers to do their CORS preflight checks
- });
-}
-} // namespace cors_preflight
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index a9c3fc4..c0855f4 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -58,51 +58,19 @@
res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
- if (bmcwebInsecureDisableXssPrevention == 0)
- {
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src 'self' data:; "
- "font-src 'self'; "
- "style-src 'self'; "
- "script-src 'self'; "
- "connect-src 'self' wss:; "
- "form-action 'none'; "
- "frame-ancestors 'none'; "
- "object-src 'none'; "
- "base-uri 'none' ");
- // The KVM currently needs to load images from base64 encoded
- // strings. img-src 'self' data: is used to allow that.
- // https://stackoverflow.com/questions/18447970/content-security-polic
- // y-data-not-working-for-base64-images-in-chrome-28
- }
- else
- {
- // If XSS is disabled, we need to allow loading from addresses
- // other than self, as the BMC will be hosted elsewhere.
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src * data:; "
- "font-src *; "
- "style-src *; "
- "script-src *; "
- "connect-src *; "
- "form-action *; "
- "frame-ancestors *; "
- "object-src *; "
- "base-uri *");
-
- std::string_view origin = req.getHeaderValue("Origin");
- res.addHeader(bf::access_control_allow_origin, origin);
- res.addHeader(bf::access_control_allow_methods, "GET, "
- "POST, "
- "PUT, "
- "PATCH, "
- "DELETE");
- res.addHeader(bf::access_control_allow_credentials, "true");
- res.addHeader(bf::access_control_allow_headers, "Origin, "
- "Content-Type, "
- "Accept, "
- "Cookie, "
- "X-XSRF-TOKEN");
- }
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src 'self' data:; "
+ "font-src 'self'; "
+ "style-src 'self'; "
+ "script-src 'self'; "
+ "connect-src 'self' wss:; "
+ "form-action 'none'; "
+ "frame-ancestors 'none'; "
+ "object-src 'none'; "
+ "base-uri 'none' ");
+ // The KVM currently needs to load images from base64 encoded
+ // strings. img-src 'self' data: is used to allow that.
+ // https://stackoverflow.com/questions/18447970/content-security-polic
+ // y-data-not-working-for-base64-images-in-chrome-28
}
}
diff --git a/meson_options.txt b/meson_options.txt
index 39a410b..d10d1b3 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -316,13 +316,6 @@
)
option(
- 'insecure-disable-xss',
- type: 'feature',
- value: 'disabled',
- description: 'Disable XSS preventions'
-)
-
-option(
'insecure-tftp-update',
type: 'feature',
value: 'disabled',
diff --git a/src/webserver_run.cpp b/src/webserver_run.cpp
index bb03723..f02ead9 100644
--- a/src/webserver_run.cpp
+++ b/src/webserver_run.cpp
@@ -3,7 +3,6 @@
#include "bmcweb_config.h"
#include "app.hpp"
-#include "cors_preflight.hpp"
#include "dbus_monitor.hpp"
#include "dbus_singleton.hpp"
#include "event_service_manager.hpp"
@@ -81,11 +80,6 @@
crow::google_api::requestRoutes(app);
#endif
- if (bmcwebInsecureDisableXssPrevention != 0)
- {
- cors_preflight::requestRoutes(app);
- }
-
crow::login_routes::requestRoutes(app);
#ifdef BMCWEB_ENABLE_VM_NBDPROXY