Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / e6de21ad051f226e746f6a522796ef0dace2660b^! / .
commite6de21ad051f226e746f6a522796ef0dace2660b[log] [tgz]
authorEd Tanous <ed.tanous@intel.com>Wed Aug 21 12:50:42 2019 -0700
committerEd Tanous <ed.tanous@intel.com>Thu Aug 29 16:15:21 2019 +0000
tree11ed38438cdfc9da41d7438774d63659bfaed03c
parentbc48a175d5cf0b0426a72730e9542042532959cc [diff]
Improve the security headers

This patchset consists of two primary changes.

1. Content-Security-Policy is adjusted such that the "default" allowed
source is none, then we explicitly enable the few features we actually
use by setting them to self
2. Updates the XSS variables to simply forward back the hostname given
in the AccessControlAllowOrigin flag, which means that webpack dev
server could be running on any port.

Tested:
Tested IE11, Edge, Firefox, and Chrome for CSP errors.  Firefox flags
one error that doesn't seem to effect the webui.  All other browsers
load without issue.

Tested launching webpack-dev-server with XSS settings enabled.
Launches without warning on any port

Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Change-Id: Id38f607917d19b0106c4c7708c764c45b646891e

diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index 1ebc43c..83df24c 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp

@@ -37,19 +37,23 @@
         res.addHeader(bf::pragma, "no-cache");
         res.addHeader(bf::cache_control, "no-Store,no-Cache");
 
-        // The KVM currently needs to load images from base64 encoded strings.
-        // img-src 'self' data: is used to allow that.
+        res.addHeader("Content-Security-Policy", "default-src 'none'; "
+                                                 "img-src 'self' data:; "
+                                                 "font-src 'self'; "
+                                                 "style-src 'self'; "
+                                                 "script-src 'self'; "
+                                                 "connect-src 'self' wss:");
+        // The KVM currently needs to load images from base64 encoded
+        // strings. img-src 'self' data: is used to allow that.
         // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28
-        res.addHeader("Content-Security-Policy",
-                      "default-src 'self'; img-src 'self' data:");
+
         res.addHeader("X-XSS-Protection", "1; "
                                           "mode=block");
         res.addHeader("X-Content-Type-Options", "nosniff");
-        res.addHeader("X-UA-Compatible", "IE=11");
 
 #ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
-
-        res.addHeader(bf::access_control_allow_origin, "http://localhost:8080");
+        res.addHeader(bf::access_control_allow_origin,
+                      req.getHeaderValue("Origin"));
         res.addHeader(bf::access_control_allow_methods, "GET, "
                                                         "POST, "
                                                         "PUT, "