github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-08-14 02:27:09 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Add upgrade-insecure-requests to CSP when HTTPS is enabled

Browse source 
This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
This commit is contained in:
Thomas Piccirello 2018-05-31 00:44:48 -04:00 committed by sledgehammer999
commit 23bf86a8a8
No known key found for this signature in database
GPG key ID: 6E4A2D025B7CC9A2
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/webui/webapplication.cpp
View file

@ -432,6 +432,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -539,6 +540,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';");
}
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

1
src/webui/webapplication.h
View file

@ -146,4 +146,5 @@ private:
// security related
bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled;
bool m_isHttpsEnabled;
};