mirror/qBittorrent
2
0
Fork 0
mirror of https://github.com/qbittorrent/qBittorrent.git synced 2025-01-06 15:04:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

Revise CSP header

Browse Source 
The majority of the CSP is tuned for built-in WebUI, it may not be
suitable for alternative UI.

Also add QLatin1String to strings. This code path is called repeatedly,
it is worth adding QLatin1String to squeeze out the last bit of
performance.
This commit is contained in:
Chocobo1 2018-12-10 22:26:46 +08:00
parent 7fd30fa90f
commit c1912e17c1
No known key found for this signature in database
GPG Key ID: 210D9C873253A68C
2 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
src/webui/webapplication.cpp
View File

@ -457,6 +457,13 @@ void WebApplication::configure()
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
m_contentSecurityPolicy =
(m_isAltUIUsed
? QLatin1String("")
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
}
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
@ -559,21 +566,17 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
print(error.message(), Http::CONTENT_TYPE_TXT);
}
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
if (m_isClickjackingProtectionEnabled) {
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
csp += QLatin1String(" frame-ancestors 'self';");
}
if (m_isHttpsEnabled) {
csp += QLatin1String(" upgrade-insecure-requests;");
}
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
if (m_isClickjackingProtectionEnabled)
header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
if (!m_isAltUIUsed)
header(Http::HEADER_REFERRER_POLICY, "same-origin");
header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
if (!m_contentSecurityPolicy.isEmpty())
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
return response();
}

1
src/webui/webapplication.h
View File

@ -157,4 +157,5 @@ private:
bool m_isCSRFProtectionEnabled;
bool m_isHostHeaderValidationEnabled;
bool m_isHttpsEnabled;
QString m_contentSecurityPolicy;
};