LibreOffice/online
1
0
Fork 0
mirror of https://github.com/LibreOffice/online.git synced 2025-08-13 13:17:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

document signing: whitelist CSP frame-src for doc sign endpoint URL

Browse Source 
If document signing is enabled in loolwsd.xml, then explicitly whitelist
iframe creation towards the doc sign endpoint server, to avoid

> Refused to frame '...' because it violates the following Content Security Policy directive: "frame-src 'self' blob:".

Note that this happened only in non-debug builds, as we currently don't
send eny Content Security Policy headers in debug builds.

Change-Id: Iee2a0644d67d5803ab3f5c636b8e960fa619792f
This commit is contained in:
Miklos Vajna
2018-12-05 16:13:26 +01:00
parent 7c262f5e82
commit 6e0d1ad707
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
wsd/FileServer.cpp
View File

@ -670,9 +670,11 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco::
<< "X-XSS-Protection: 1; mode=block\r\n" << "X-XSS-Protection: 1; mode=block\r\n"
<< "Referrer-Policy: no-referrer\r\n"; << "Referrer-Policy: no-referrer\r\n";
// Document signing: if endpoint URL is configured, whitelist that for
// iframe purposes.
std::ostringstream cspOss; std::ostringstream cspOss;
cspOss << "Content-Security-Policy: default-src 'none'; " cspOss << "Content-Security-Policy: default-src 'none'; "
<< "frame-src 'self' blob:; " << "frame-src 'self' blob: " << documentSigningURL << "; "
<< "connect-src 'self' " << host << "; " << "connect-src 'self' " << host << "; "
<< "script-src 'unsafe-inline' 'self'; " << "script-src 'unsafe-inline' 'self'; "
<< "style-src 'self' 'unsafe-inline'; " << "style-src 'self' 'unsafe-inline'; "