diff options
author | Ed Tanous <ed.tanous@intel.com> | 2018-12-20 12:30:45 -0800 |
---|---|---|
committer | Ed Tanous <ed.tanous@intel.com> | 2019-02-21 01:45:55 +0000 |
commit | 3eb2f35f28249b9b5dc2159a44ca75a0fa7677a5 (patch) | |
tree | fdd26d7d50088bdef022f1d58de8e38458ef6552 /include/security_headers_middleware.hpp | |
parent | 2f1ebcd18ca79f4bf19a0924a0b26a8436f24f6c (diff) | |
download | bmcweb-3eb2f35f28249b9b5dc2159a44ca75a0fa7677a5.tar.gz bmcweb-3eb2f35f28249b9b5dc2159a44ca75a0fa7677a5.zip |
Implement KVM websocket proxy in bmcweb
This patchset implements a KVM websocket proxy designed to interoperate
with phosphor-webui and KVM. in short, IP address 127.0.0.1:5900 is
proxied to the websocket. This allows someone to connect from a browser
session.
Requires patchset here for the phosphor-webui side:
https://gerrit.openbmc-project.xyz/#/c/openbmc/phosphor-webui/+/10268/
and requires the kvm patches here:
https://gerrit.openbmc-project.xyz/#/c/openbmc/meta-phosphor/+/13536/
Tested By:
Launched webui, observed KVM. Moved mouse, and typed on keyboard,
changes appeared on host system.
Change-Id: I407488f4b16be208b188a0abc19954a0243af173
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'include/security_headers_middleware.hpp')
-rw-r--r-- | include/security_headers_middleware.hpp | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index 5e8e7d9..1ebc43c 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -36,7 +36,12 @@ struct SecurityHeadersMiddleware res.addHeader(bf::pragma, "no-cache"); res.addHeader(bf::cache_control, "no-Store,no-Cache"); - res.addHeader("Content-Security-Policy", "default-src 'self'"); + + // The KVM currently needs to load images from base64 encoded strings. + // img-src 'self' data: is used to allow that. + // https://stackoverflow.com/questions/18447970/content-security-policy-data-not-working-for-base64-images-in-chrome-28 + res.addHeader("Content-Security-Policy", + "default-src 'self'; img-src 'self' data:"); res.addHeader("X-XSS-Protection", "1; " "mode=block"); res.addHeader("X-Content-Type-Options", "nosniff"); |