commit fd828baf872f3a3d10ae626d4e68509f31b30384
author Ed Tanous <ed.tanous@intel.com> Thu Aug 09 10:58:08 2018 -0700
committer Ed Tanous <ed.tanous@intel.com> Wed Aug 15 17:53:41 2018 +0000
tree c6f32ca293d75310212dc2428d8fec4199263a0e
parent 09c9dd01d73b13323a677ab0fd8cb4ff71816c8a

Implement XSS override

There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host.  Currently
this is disallowed based on the bmcweb security posture.

This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.

Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server

WebUI logged in without issue

Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>

include/webserver_common.hpp

diff --git a/include/webserver_common.hpp b/include/webserver_common.hpp
index f0cfe11..684387d 100644
--- a/include/webserver_common.hpp
+++ b/include/webserver_common.hpp
@@ -19,6 +19,6 @@
 #include "token_authorization_middleware.hpp"
 #include "webserver_common.hpp"
 
-using CrowApp = crow::App<crow::persistent_data::Middleware,
-                          crow::token_authorization::Middleware,
-                          crow::SecurityHeadersMiddleware>;
+using CrowApp = crow::App<crow::SecurityHeadersMiddleware,
+                          crow::persistent_data::Middleware,
+                          crow::token_authorization::Middleware>;