github/qBittorrent
1
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent synced 2025-07-14 01:03:08 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Add option to control WebUI clickjacking protection

Browse source 
Some users actually want embedding WebUI into their custom build iframe.
Closes #7370.
This commit is contained in:
Chocobo1 2018-05-21 23:33:44 +08:00
parent e8a69dd60c
commit bad4d94f77
No known key found for this signature in database
GPG key ID: 210D9C873253A68C
8 changed files with 52 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

10
src/webui/webapplication.cpp
View file

@ -428,6 +428,8 @@ void WebApplication::configure()
m_currentLocale = newLocale;
m_translatedFiles.clear();
}
m_isClickjackingProtectionEnabled = pref->isWebUiClickjackingProtectionEnabled();
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -525,11 +527,13 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
print(error.message(), Http::CONTENT_TYPE_TXT);
}
// avoid clickjacking attacks
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
header(Http::HEADER_CONTENT_SECURITY_POLICY, "default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none';");
}
return response();
}