diff options
| author | Ed Tanous <ed.tanous@intel.com> | 2018-08-09 10:58:08 -0700 |
|---|---|---|
| committer | Ed Tanous <ed.tanous@intel.com> | 2018-08-15 17:53:41 +0000 |
| commit | fd828baf872f3a3d10ae626d4e68509f31b30384 (patch) | |
| tree | c6f32ca293d75310212dc2428d8fec4199263a0e /include/security_headers_middleware.hpp | |
| parent | 09c9dd01d73b13323a677ab0fd8cb4ff71816c8a (diff) | |
| download | bmcweb-fd828baf872f3a3d10ae626d4e68509f31b30384.tar.gz bmcweb-fd828baf872f3a3d10ae626d4e68509f31b30384.zip | |
Implement XSS override
There are a number of situations that come up in developement, where it
is very useful to launch phosphor-webui from a remote host. Currently
this is disallowed based on the bmcweb security posture.
This commit makes the BMCWEB_INSECURE_DISABLE_XSS_PREVENTION much more
useful, by actually applying the headers that would allow one to launch
the webui from a remote system successfully.
Tested by:
Adding BMCWEB_INSECURE_DISABLE_XSS_PREVENTION=ON to the cmake options
in the bitbake file, then launching phosphor-webui using
npm run-script server
WebUI logged in without issue
Change-Id: I2b7fe53aab611536b4b27b2704e20d098507a5e7
Signed-off-by: Ed Tanous <ed.tanous@intel.com>
Diffstat (limited to 'include/security_headers_middleware.hpp')
| -rw-r--r-- | include/security_headers_middleware.hpp | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/include/security_headers_middleware.hpp b/include/security_headers_middleware.hpp index f7bc478..750f87b 100644 --- a/include/security_headers_middleware.hpp +++ b/include/security_headers_middleware.hpp @@ -29,7 +29,13 @@ static const char* cacheControlValue = "no-Store,no-Cache"; struct SecurityHeadersMiddleware { struct Context {}; - void beforeHandle(crow::Request& req, Response& res, Context& ctx) {} + void beforeHandle(crow::Request& req, Response& res, Context& ctx) { +#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION + if ("OPTIONS"_method == req.method()) { + res.end(); + } +#endif + } void afterHandle(Request& req, Response& res, Context& ctx) { /* @@ -44,6 +50,16 @@ struct SecurityHeadersMiddleware { res.addHeader(contentSecurityKey, contentSecurityValue); res.addHeader(pragmaKey, pragmaValue); res.addHeader(cacheControlKey, cacheControlValue); + +#ifdef BMCWEB_INSECURE_DISABLE_XSS_PREVENTION + + res.addHeader("Access-Control-Allow-Origin", "http://localhost:8080"); + res.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, PATCH"); + res.addHeader("Access-Control-Allow-Credentials", "true"); + res.addHeader("Access-Control-Allow-Headers", + "Origin, Content-Type, Accept, Cookie, X-XSRF-TOKEN"); + +#endif } }; } // namespace crow |
