From 8f98f87d1228aaf2b23f1044f6173984b667835c Mon Sep 17 00:00:00 2001 From: Thomas Piccirello Date: Thu, 31 May 2018 00:44:48 -0400 Subject: [PATCH 1/3] Add upgrade-insecure-requests to CSP when HTTPS is enabled This option automatically upgrades all http connections to https. It ensures http urls cannot be accessed when in https mode, and is intended as a security measure. --- src/webui/webapplication.cpp | 4 ++++ src/webui/webapplication.h | 1 + 2 files changed, 5 insertions(+) diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp index 983f9caaf..22d26b8b6 100644 --- a/src/webui/webapplication.cpp +++ b/src/webui/webapplication.cpp @@ -431,6 +431,7 @@ void WebApplication::configure() m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); + m_isHttpsEnabled = pref->isWebUiHttpsEnabled(); } void WebApplication::registerAPIController(const QString &scope, APIController *controller) @@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); csp += QLatin1String(" frame-ancestors 'self';"); } + if (m_isHttpsEnabled) { + csp += QLatin1String(" upgrade-insecure-requests;"); + } header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); diff --git a/src/webui/webapplication.h b/src/webui/webapplication.h index eabb08cd1..7713cd72b 100644 --- a/src/webui/webapplication.h +++ b/src/webui/webapplication.h @@ -146,4 +146,5 @@ private: // security related bool m_isClickjackingProtectionEnabled; bool m_isCSRFProtectionEnabled; + bool m_isHttpsEnabled; }; From 43656aaa1ef98c5b00f58d667648122e273fb3ad Mon Sep 17 00:00:00 2001 From: Thomas Piccirello Date: Thu, 31 May 2018 00:51:48 -0400 Subject: [PATCH 2/3] Add form-action to CSP This option restricts all form submissions to the WebUI's origin. qBittorrent only ever submits forms to the origin, so this is intended as a security measure. --- src/webui/webapplication.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/webui/webapplication.cpp b/src/webui/webapplication.cpp index 22d26b8b6..fe6ec8807 100644 --- a/src/webui/webapplication.cpp +++ b/src/webui/webapplication.cpp @@ -534,7 +534,7 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block"); header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff"); - QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';"); + QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"); if (m_isClickjackingProtectionEnabled) { header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); csp += QLatin1String(" frame-ancestors 'self';"); From 9b874b89415878acefb481d791aa236d39240f8e Mon Sep 17 00:00:00 2001 From: Thomas Piccirello Date: Wed, 30 May 2018 22:35:07 -0400 Subject: [PATCH 3/3] Rename variables for clarity --- src/webui/www/private/preferences_content.html | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/webui/www/private/preferences_content.html b/src/webui/www/private/preferences_content.html index 7cf03a480..29a3e2ef9 100644 --- a/src/webui/www/private/preferences_content.html +++ b/src/webui/www/private/preferences_content.html @@ -733,9 +733,9 @@ // Web UI tab updateHttpsSettings = function() { - var isAddTrackersEnabled = $('use_https_checkbox').getProperty('checked'); - $('ssl_key_textarea').setProperty('disabled', !isAddTrackersEnabled); - $('ssl_cert_textarea').setProperty('disabled', !isAddTrackersEnabled); + var isUseHttpsEnabled = $('use_https_checkbox').getProperty('checked'); + $('ssl_key_textarea').setProperty('disabled', !isUseHttpsEnabled); + $('ssl_cert_textarea').setProperty('disabled', !isUseHttpsEnabled); }; updateBypasssAuthSettings = function() {