From 43656aaa1ef98c5b00f58d667648122e273fb3ad Mon Sep 17 00:00:00 2001
From: Thomas Piccirello <thomas@piccirello.com>
Date: Thu, 31 May 2018 00:51:48 -0400
Subject: [PATCH] Add form-action to CSP

This option restricts all form submissions to the WebUI's origin.
qBittorrent only ever submits forms to the origin, so this is intended as a security measure.
---
 src/webui/webapplication.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp
index 22d26b8b6..fe6ec8807 100644
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@@ -534,7 +534,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
     header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
     header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
 
-    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
+    QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
     if (m_isClickjackingProtectionEnabled) {
         header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
         csp += QLatin1String(" frame-ancestors 'self';");