FileServer.cpp

Pranav Kant Wed, 12 Apr 2017 06:55:55 -0700

 loleaflet/dist/loleaflet.html |    7 -------
 wsd/FileServer.cpp            |   10 +++++++++-
 2 files changed, 9 insertions(+), 8 deletions(-)


New commits:
commit b7eafb1e4a8da6fced02af395581475f0332c2a7
Author: Pranav Kant <pran...@collabora.co.uk>
Date:   Wed Apr 12 19:23:35 2017 +0530

    Move CSP to response headers from meta tag in html
    
    Some older browsers don't have meta tag support for CSP. Lets put all of
    the CSP in response headers to be compatible with oldies.
    
    Change-Id: I7f0d7c294e492b3c69ebea6fbd820d6558b9c3b3

diff --git a/loleaflet/dist/loleaflet.html b/loleaflet/dist/loleaflet.html
index 8b3f794c..bfa9ad3e 100644
--- a/loleaflet/dist/loleaflet.html
+++ b/loleaflet/dist/loleaflet.html
@@ -3,13 +3,6 @@
 <html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
 <title>Online Editor</title>
 <meta charset="utf-8">
-<meta http-equiv="Content-Security-Policy" content="default-src 'none';
-                                                   frame-src 'self' blob:;
-                                                   connect-src 'self' %HOST%;
-                                                   script-src 'self' 
'unsafe-inline';
-                                                   style-src 'self' 
'unsafe-inline';
-                                                   font-src 'self' data:;
-                                                   img-src 'self' data:;">
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 
 <script>
diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp
index 96552d40..cf9607d0 100644
--- a/wsd/FileServer.cpp
+++ b/wsd/FileServer.cpp
@@ -352,8 +352,16 @@ void FileServerRequestHandler::preprocessFile(const 
HTTPRequest& request, Poco::
 
     if (!wopiDomain.empty())
     {
+        // Replaced by frame-ancestors in CSP but some oldies don't know about 
that
         oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n";
-        oss << "Content-Security-Policy: frame-ancestors " << wopiDomain << 
"\r\n";
+        oss << "Content-Security-Policy: default-src 'none'; "
+            << "frame-src 'self' blob:; "
+            << "connect-src 'self' " << host << "; "
+            << "script-src 'unsafe-inline' 'self'; "
+            << "style-src 'self' 'unsafe-inline'; "
+            << "font-src 'self' data:; "
+            << "img-src 'self' data:; "
+            << "frame-ancestors " << wopiDomain << "\r\n";
     }
     else
     {
_______________________________________________
Libreoffice-commits mailing list
libreoffice-comm...@lists.freedesktop.org
https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits

[Libreoffice-commits] online.git: loleaflet/dist wsd/FileServer.cpp

Reply via email to