diff options
author | Julius Härtl <jus@bitgrid.net> | 2021-11-02 10:06:09 +0100 |
---|---|---|
committer | Andras Timar <andras.timar@collabora.com> | 2021-11-02 11:06:19 +0100 |
commit | 3eab4f70a234cf2d30c4567cff9857b2fb22ebb2 (patch) | |
tree | 34c943de03cef125a2bfb501239e22278fbd1f7d /wsd | |
parent | clipboard: fix partial content read for text/html (diff) | |
download | online-3eab4f70a234cf2d30c4567cff9857b2fb22ebb2.tar.gz online-3eab4f70a234cf2d30c4567cff9857b2fb22ebb2.zip |
wsd: Only add one img-src rule to the CSP header
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Change-Id: I8ac3f077e4537f92943fa57bf863129d9bc36c6f
Diffstat (limited to 'wsd')
-rw-r--r-- | wsd/FileServer.cpp | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index d75a2ea4d5..4169fcb5f5 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -1019,7 +1019,7 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, // Document signing: if endpoint URL is configured, whitelist that for // iframe purposes. std::ostringstream cspOss; - cspOss << "Content-Security-Policy: default-src 'none'; img-src 'self' data: https://www.collaboraoffice.com/;" + cspOss << "Content-Security-Policy: default-src 'none'; " #ifdef ENABLE_FEEDBACK "frame-src 'self' " << FEEDBACK_LOCATION << " blob: " << documentSigningURL << "; " #else @@ -1056,19 +1056,21 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, } } + std::string imgSrc = "img-src 'self' data: https://www.collaboraoffice.com/"; if (!frameAncestors.empty()) { LOG_TRC("Allowed frame ancestors: " << frameAncestors); // X-Frame-Options supports only one ancestor, ignore that //(it's deprecated anyway and CSP works in all major browsers) - cspOss << "img-src 'self' data: " << frameAncestors << "; " + // frame anchestors are also allowed for img-src in order to load the views avatars + cspOss << imgSrc << frameAncestors << "; " << "frame-ancestors " << frameAncestors; Poco::replaceInPlace(preprocess, std::string("%FRAME_ANCESTORS%"), frameAncestors); } else { LOG_TRC("Denied all frame ancestors"); - cspOss << "img-src 'self' data: none;"; + cspOss << imgSrc << "; "; } cspOss << "\r\n"; |