Fix content-security-policy when XSS is disabled
Content-Security-Policy is a bit odd when loading from another source.
Technically, everything is cross site when in a debug context, so
blocking cross site scripting in this case is a bit non-sensical.
Tested:
This was reported to me, but I was unable to reproduce, so no way to
really test. Pushing for someone else to be able to test first, then
will update this once done.
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: I9ae125a5577c43164d5b3b1280b783336fbfec71
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 83df24c..a89acaa 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp
@@ -37,6 +37,11 @@
res.addHeader(bf::pragma, "no-cache");
res.addHeader(bf::cache_control, "no-Store,no-Cache");
+ res.addHeader("X-XSS-Protection", "1; "
+ "mode=block");
+ res.addHeader("X-Content-Type-Options", "nosniff");
+
+#ifndef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
res.addHeader("Content-Security-Policy", "default-src 'none'; "
"img-src 'self' data:; "
"font-src 'self'; "
@@ -47,13 +52,18 @@
// strings. img-src 'self' data: is used to allow that.
// https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
- res.addHeader("X-XSS-Protection", "1; "
- "mode=block");
- res.addHeader("X-Content-Type-Options", "nosniff");
+#else
+ // If XSS is disabled, we need to allow loading from addresses other
+ // than self, as the BMC will be hosted elsewhere.
+ res.addHeader("Content-Security-Policy", "default-src 'none'; "
+ "img-src *; "
+ "font-src *; "
+ "style-src *; "
+ "script-src *; "
+ "connect-src *");
-#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
- res.addHeader(bf::access_control_allow_origin,
- req.getHeaderValue("Origin"));
+ const std::string_view origin = req.getHeaderValue("Origin");
+ res.addHeader(bf::access_control_allow_origin, origin);
res.addHeader(bf::access_control_allow_methods, "GET, "
"POST, "
"PUT, "