document signing: whitelist CSP frame-src for doc sign endpoint URL

If document signing is enabled in loolwsd.xml, then explicitly whitelist iframe creation towards the doc sign endpoint server, to avoid > Refused to frame '...' because it violates the following Content Security Policy directive: "frame-src 'self' blob:". Note that this happened only in non-debug builds, as we currently don't send eny Content Security Policy headers in debug builds. Change-Id: Iee2a0644d67d5803ab3f5c636b8e960fa619792f
2025-08-10 01:34:37 +00:00 · 2018-12-05 16:13:26 +01:00
parent 7c262f5e82
commit 6e0d1ad707
1 changed files with 3 additions and 1 deletions
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@ -670,9 +670,11 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
        << "X-XSS-Protection: 1; mode=block\r\n"
        << "Referrer-Policy: no-referrer\r\n";

+    // Document signing: if endpoint URL is configured, whitelist that for
+    // iframe purposes.
    std::ostringstream cspOss;
    cspOss << "Content-Security-Policy: default-src 'none'; "
-           << "frame-src 'self' blob:; "
+           << "frame-src 'self' blob: " << documentSigningURL << "; "
           << "connect-src 'self' " << host << "; "
           << "script-src 'unsafe-inline' 'self'; "
           << "style-src 'self' 'unsafe-inline'; "