commit 99ad5995089bace233dac20de28ef021591d89c1
author Joseph Reynolds <jrey@us.ibm.com> Tue Nov 13 13:45:10 2018 -0600
committer Ed Tanous <ed.tanous@intel.com> Tue Dec 04 18:28:48 2018 +0000
tree 7d8bd9c558a51b3e44b3ba34e74e0c47535d3aac
parent a29c99760b9358576440221c5956d58c015959e8

Update Content-Security-Policy

This changes the HTTP response header X-Content-Security-Policy
to Content-Security-Policy and changes its value to allow WebSocket
upgrades.

The X-Content-Security-Policy header is deprecated per
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP and
https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet.

The problem with using the default-src (or connect-src) directive with
the 'self' value when upgrading from https: to wss: is that is blocks
the upgrade.  The problem is described here:
https://github.com/w3c/webappsec-csp/issues/7

A similar problem happens with the KVM video (with media-src).

I was unable to find an authoritative fix for this problem.

Tested: pending

Change-Id: Ia8df1e8c3900d81242a5e043ee0601e259bbc9d2
Signed-off-by: Joseph Reynolds <jrey@us.ibm.com>

include/security_headers_middleware.hpp

diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 561fd81..04fc913 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -18,8 +18,9 @@
 static const char* xssKey = "X-XSS-Protection";
 static const char* xssValue = "1; mode=block";
 
-static const char* contentSecurityKey = "X-Content-Security-Policy";
-static const char* contentSecurityValue = "default-src 'self'";
+static const char* contentSecurityKey = "Content-Security-Policy";
+static const char* contentSecurityValue =
+    "script-src 'self'; object-src 'self'";
 
 static const char* pragmaKey = "Pragma";
 static const char* pragmaValue = "no-cache";