github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-14 01:03:08 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Merge pull request #9013 from Piccirello/strengthen-csp

Browse source 
More restrictive Content Security Policy
This commit is contained in:
Mike Tzou 2018-06-03 21:43:39 +08:00 committed by GitHub
commit 5f8feec1c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 9 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/webui/webapplication.cpp
View file

@ -432,6 +432,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -534,11 +535,14 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';");
}
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);