github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-14 09:13:08 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Add upgrade-insecure-requests to CSP when HTTPS is enabled

Browse source 
This option automatically upgrades all http connections to https.
It ensures http urls cannot be accessed when in https mode, and is intended as a security measure.
This commit is contained in:
Thomas Piccirello 2018-05-31 00:44:48 -04:00
parent 6e96bbb2e9
commit 8f98f87d12
2 changed files with 5 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/webui/webapplication.cpp
View file

@ -431,6 +431,7 @@ void WebApplication::configure()
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled(); m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled(); m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
} }
void WebApplication::registerAPIController(const QString &scope, APIController *controller) void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -538,6 +539,9 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN"); header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';"); csp += QLatin1String(" frame-ancestors 'self';");
} }
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp); header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);

1
src/webui/webapplication.h
View file

@ -146,4 +146,5 @@ private:
// security related // security related
bool m_isClickjackingProtectionEnabled; bool m_isClickjackingProtectionEnabled;
bool m_isCSRFProtectionEnabled; bool m_isCSRFProtectionEnabled;
bool m_isHttpsEnabled;
}; };