Gitiles
Code Review Sign In
gerrit.openbmc.org / openbmc / bmcweb / fd828baf872f3a3d10ae626d4e68509f31b30384^! / .
commitfd828baf872f3a3d10ae626d4e68509f31b30384[log] [tgz]
authorEd Tanous <ed.tanous@intel.com>Thu Aug 09 10:58:08 2018 -0700
committerEd Tanous <ed.tanous@intel.com>Wed Aug 15 17:53:41 2018 +0000
treec6f32ca293d75310212dc2428d8fec4199263a0e
parent09c9dd01d73b13323a677ab0fd8cb4ff71816c8a [diff]
Implement XSS override

There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host.  Currently
this is disallowed based on the bmcweb security posture.

This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.

Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server

WebUI logged in without issue

Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>

diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp
index f7bc478..750f87b 100644
--- a/include/security_headers_middleware.hpp
+++ b/include/security_headers_middleware.hpp

@@ -29,7 +29,13 @@
 struct SecurityHeadersMiddleware {
   struct Context {};
 
-  void beforeHandle(crow::Request& req, Response& res, Context& ctx) {}
+  void beforeHandle(crow::Request& req, Response& res, Context& ctx) {
+#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
+    if ("OPTIONS"_method == req.method()) {
+      res.end();
+    }
+#endif
+  }
 
   void afterHandle(Request& req, Response& res, Context& ctx) {
     /*
@@ -44,6 +50,16 @@
     res.addHeader(contentSecurityKey, contentSecurityValue);
     res.addHeader(pragmaKey, pragmaValue);
     res.addHeader(cacheControlKey, cacheControlValue);
+
+#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION
+
+    res.addHeader("Access-Control-Allow-Origin", "http://localhost:8080");
+    res.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH");
+    res.addHeader("Access-Control-Allow-Credentials", "true");
+    res.addHeader("Access-Control-Allow-Headers",
+                  "Origin, Content-Type, Accept, Cookie, X-XSRF-TOKEN");
+
+#endif
   }
 };
 }  // namespace crow

diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp
index f0cfe11..684387d 100644
--- a/include/webserver_common.hpp
+++ b/include/webserver_common.hpp

@@ -19,6 +19,6 @@
 #include "token_authorization_middleware.hpp"
 #include "webserver_common.hpp"
 
-using CrowApp = crow::App<crow::persistent_data::Middleware,
-                          crow::token_authorization::Middleware,
-                          crow::SecurityHeadersMiddleware>;
+using CrowApp = crow::App<crow::SecurityHeadersMiddleware,
+                          crow::persistent_data::Middleware,
+                          crow::token_authorization::Middleware>;