mirror of
https://github.com/qbittorrent/qBittorrent.git
synced 2024-10-22 18:56:08 +03:00
Revise CSP header
The majority of the CSP is tuned for built-in WebUI, it may not be suitable for alternative UI. Also add QLatin1String to strings. This code path is called repeatedly, it is worth adding QLatin1String to squeeze out the last bit of performance.
This commit is contained in:
parent
be2895ac6f
commit
9380209afb
2 changed files with 16 additions and 12 deletions
|
@ -457,6 +457,13 @@ void WebApplication::configure()
|
|||
m_isCSRFProtectionEnabled = pref->isWebUiCSRFProtectionEnabled();
|
||||
m_isHostHeaderValidationEnabled = pref->isWebUIHostHeaderValidationEnabled();
|
||||
m_isHttpsEnabled = pref->isWebUiHttpsEnabled();
|
||||
|
||||
m_contentSecurityPolicy =
|
||||
(m_isAltUIUsed
|
||||
? QLatin1String("")
|
||||
: QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';"))
|
||||
+ (m_isClickjackingProtectionEnabled ? QLatin1String(" frame-ancestors 'self';") : QLatin1String(""))
|
||||
+ (m_isHttpsEnabled ? QLatin1String(" upgrade-insecure-requests;") : QLatin1String(""));
|
||||
}
|
||||
|
||||
void WebApplication::registerAPIController(const QString &scope, APIController *controller)
|
||||
|
@ -559,21 +566,17 @@ Http::Response WebApplication::processRequest(const Http::Request &request, cons
|
|||
print(error.message(), Http::CONTENT_TYPE_TXT);
|
||||
}
|
||||
|
||||
header(Http::HEADER_X_XSS_PROTECTION, "1; mode=block");
|
||||
header(Http::HEADER_X_CONTENT_TYPE_OPTIONS, "nosniff");
|
||||
header(QLatin1String(Http::HEADER_X_XSS_PROTECTION), QLatin1String("1; mode=block"));
|
||||
header(QLatin1String(Http::HEADER_X_CONTENT_TYPE_OPTIONS), QLatin1String("nosniff"));
|
||||
|
||||
QString csp = QLatin1String("default-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; script-src 'self' 'unsafe-inline'; object-src 'none'; form-action 'self';");
|
||||
if (m_isClickjackingProtectionEnabled) {
|
||||
header(Http::HEADER_X_FRAME_OPTIONS, "SAMEORIGIN");
|
||||
csp += QLatin1String(" frame-ancestors 'self';");
|
||||
}
|
||||
if (m_isHttpsEnabled) {
|
||||
csp += QLatin1String(" upgrade-insecure-requests;");
|
||||
}
|
||||
header(Http::HEADER_CONTENT_SECURITY_POLICY, csp);
|
||||
if (m_isClickjackingProtectionEnabled)
|
||||
header(QLatin1String(Http::HEADER_X_FRAME_OPTIONS), QLatin1String("SAMEORIGIN"));
|
||||
|
||||
if (!m_isAltUIUsed)
|
||||
header(Http::HEADER_REFERRER_POLICY, "same-origin");
|
||||
header(QLatin1String(Http::HEADER_REFERRER_POLICY), QLatin1String("same-origin"));
|
||||
|
||||
if (!m_contentSecurityPolicy.isEmpty())
|
||||
header(QLatin1String(Http::HEADER_CONTENT_SECURITY_POLICY), m_contentSecurityPolicy);
|
||||
|
||||
return response();
|
||||
}
|
||||
|
|
|
@ -157,4 +157,5 @@ private:
|
|||
bool m_isCSRFProtectionEnabled;
|
||||
bool m_isHostHeaderValidationEnabled;
|
||||
bool m_isHttpsEnabled;
|
||||
QString m_contentSecurityPolicy;
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue