Implement a Content-Security-Policy TODO
This TODO has been in bmcweb for a very long time. Implement it.
W3 sets rules for what security policies apply to which content
types[1]. Reading through this, essentially CSP should only apply to
HTML files.
Tested: Unit tests pass. Webui loads properly. Chrome network window
Shows headers show up as expected.
[1] https://www.w3.org/TR/CSP2/#which-policy-applies
Change-Id: I5467d0373832668763c72a66da2a8872e07bfb58
Signed-off-by: Ed Tanous <ed@tanous.net>
diff --git a/test/http/http2_connection_test.cpp b/test/http/http2_connection_test.cpp
index 81c78a9..34dc7cd 100644
--- a/test/http/http2_connection_test.cpp
+++ b/test/http/http2_connection_test.cpp
@@ -136,8 +136,8 @@
// Settings ACK from server to client
"\x00\x00\x00\x04\x01\x00\x00\x00\x00"
- // Start Headers frame stream 1, size 0x034b
- "\x00\x03\x4b\x01\x04\x00\x00\x00\x01"sv;
+ // Start Headers frame stream 1, size 0x005f
+ "\x00\x00\x5f\x01\x04\x00\x00\x00\x01"sv;
std::string_view expectedPostfix =
// Data Frame, Length 12, Stream 1, End Stream flag set
@@ -146,7 +146,7 @@
"StringOutput"sv;
std::string_view outStr;
- constexpr size_t headerSize = 0x34b;
+ constexpr size_t headerSize = 0x05f;
// Run until we receive the expected amount of data
while (outStr.size() <
@@ -164,27 +164,14 @@
unpackHeaders(outStr.substr(0, headerSize), headers);
outStr.remove_prefix(headerSize);
- EXPECT_THAT(
- headers,
- UnorderedElementsAre(
- Pair(":status", "200"), Pair("content-length", "12"),
- Pair("strict-transport-security",
- "max-age=31536000; includeSubdomains"),
- Pair("x-frame-options", "DENY"), Pair("pragma", "no-cache"),
- Pair("cache-control", "no-store, max-age=0"),
- Pair("x-content-type-options", "nosniff"),
- Pair("referrer-policy", "no-referrer"),
- Pair(
- "permissions-policy",
- "accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),display-capture=(),document-domain=(),encrypted-media=(),fullscreen=(),gamepad=(),geolocation=(),gyroscope=(),layout-animations=(self),legacy-image-formats=(self),magnetometer=(),microphone=(),midi=(),oversized-images=(self),payment=(),picture-in-picture=(),publickey-credentials-get=(),speaker-selection=(),sync-xhr=(self),unoptimized-images=(self),unsized-media=(self),usb=(),screen-wak-lock=(),web-share=(),xr-spatial-tracking=()"),
- Pair("x-permitted-cross-domain-policies", "none"),
- Pair("cross-origin-embedder-policy", "require-corp"),
- Pair("cross-origin-opener-policy", "same-origin"),
- Pair("cross-origin-resource-policy", "same-origin"),
- Pair(
- "content-security-policy",
- "default-src 'none'; img-src 'self' data:; font-src 'self'; style-src 'self'; script-src 'self'; connect-src 'self' wss:; form-action 'none'; frame-ancestors 'none'; object-src 'none'; base-uri 'none'"),
- Pair("date", "TestTime")));
+ EXPECT_THAT(headers,
+ UnorderedElementsAre(
+ Pair(":status", "200"), Pair("content-length", "12"),
+ Pair("strict-transport-security",
+ "max-age=31536000; includeSubdomains"),
+ Pair("cache-control", "no-store, max-age=0"),
+ Pair("x-content-type-options", "nosniff"),
+ Pair("pragma", "no-cache"), Pair("date", "TestTime")));
EXPECT_EQ(outStr, expectedPostfix);
}