Remove XSS prevention code
This feature was created for a time before webpack had a built in proxy,
and to debug the UI required setting specific flags. The webpack proxy
solves this problem in a much better way, by proxying everything.
This commit is one piece in the solving a use after free bug. Removing
this allows us to no longer have to cache the origin header [1], which
is only used in this mode.
Tested: Code compiles.
[1] https://gerrit.openbmc.org/c/openbmc/bmcweb/+/70850
Change-Id: I01d67006e217c0c9fd2db7526c0ec34b0da068f3
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/include/security_headers.hpp b/include/security_headers.hpp
index a9c3fc4..c0855f4 100644
--- a/include/security_headers.hpp
+++ b/include/security_headers.hpp
@@ -58,51 +58,19 @@
res.addHeader("Cross-Origin-Embedder-Policy", "require-corp");
res.addHeader("Cross-Origin-Opener-Policy", "same-origin");
res.addHeader("Cross-Origin-Resource-Policy", "same-origin");
- if (bmcwebInsecureDisableXssPrevention == 0)
- {
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src 'self' data:; "
- "font-src 'self'; "
- "style-src 'self'; "
- "script-src 'self'; "
- "connect-src 'self' wss:; "
- "form-action 'none'; "
- "frame-ancestors 'none'; "
- "object-src 'none'; "
- "base-uri 'none' ");
- // The KVM currently needs to load images from base64 encoded
- // strings. img-src 'self' data: is used to allow that.
- // https://stackoverflow.com/questions/18447970/content-security-polic
- // y-data-not-working-for-base64-images-in-chrome-28
- }
- else
- {
- // If XSS is disabled, we need to allow loading from addresses
- // other than self, as the BMC will be hosted elsewhere.
- res.addHeader("Content-Security-Policy", "default-src 'none'; "
- "img-src * data:; "
- "font-src *; "
- "style-src *; "
- "script-src *; "
- "connect-src *; "
- "form-action *; "
- "frame-ancestors *; "
- "object-src *; "
- "base-uri *");
-
- std::string_view origin = req.getHeaderValue("Origin");
- res.addHeader(bf::access_control_allow_origin, origin);
- res.addHeader(bf::access_control_allow_methods, "GET, "
- "POST, "
- "PUT, "
- "PATCH, "
- "DELETE");
- res.addHeader(bf::access_control_allow_credentials, "true");
- res.addHeader(bf::access_control_allow_headers, "Origin, "
- "Content-Type, "
- "Accept, "
- "Cookie, "
- "X-XSRF-TOKEN");
- }
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src 'self' data:; "
+ "font-src 'self'; "
+ "style-src 'self'; "
+ "script-src 'self'; "
+ "connect-src 'self' wss:; "
+ "form-action 'none'; "
+ "frame-ancestors 'none'; "
+ "object-src 'none'; "
+ "base-uri 'none' ");
+ // The KVM currently needs to load images from base64 encoded
+ // strings. img-src 'self' data: is used to allow that.
+ // https://stackoverflow.com/questions/18447970/content-security-polic
+ // y-data-not-working-for-base64-images-in-chrome-28
}
}