From 01c614942202364c77745715f87702544aeddb7d Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Sun, 16 Jan 2022 20:52:30 +0000
Subject: [PATCH] Restrict websites to same origin requests only, using a
 Content-Security-Policy meta tag.

---
 src/main/java/org/qortal/api/HTMLParser.java               | 7 ++++++-
 .../java/org/qortal/arbitrary/ArbitraryDataRenderer.java   | 3 +--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/main/java/org/qortal/api/HTMLParser.java b/src/main/java/org/qortal/api/HTMLParser.java
index 51e0854e..9bac7d52 100644
--- a/src/main/java/org/qortal/api/HTMLParser.java
+++ b/src/main/java/org/qortal/api/HTMLParser.java
@@ -19,14 +19,19 @@ public class HTMLParser {
         this.data = data;
     }
 
-    public void setDocumentBaseUrl() {
+    public void addAdditionalHeaderTags() {
         String fileContents = new String(data);
         Document document = Jsoup.parse(fileContents);
         String baseUrl = this.linkPrefix + "/";
         Elements head = document.getElementsByTag("head");
         if (!head.isEmpty()) {
+            // Add base href tag
             String baseElement = String.format("<base href=\"%s\">", baseUrl);
             head.get(0).prepend(baseElement);
+
+            // Add security policy tag
+            String securityPolicy = String.format("<meta http-equiv=\"Content-Security-Policy\" content=\"connect-src 'self'\">");
+            head.get(0).prepend(securityPolicy);
         }
         String html = document.html();
         this.data = html.getBytes();
diff --git a/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java b/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
index 67b4c42b..e37c1e8f 100644
--- a/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
+++ b/src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
@@ -9,7 +9,6 @@ import org.qortal.arbitrary.ArbitraryDataFile.*;
 import org.qortal.arbitrary.exception.MissingDataException;
 import org.qortal.arbitrary.misc.Service;
 import org.qortal.controller.Controller;
-import org.qortal.repository.DataException;
 import org.qortal.settings.Settings;
 
 import javax.servlet.ServletContext;
@@ -119,7 +118,7 @@ public class ArbitraryDataRenderer {
                 // HTML file - needs to be parsed
                 byte[] data = Files.readAllBytes(Paths.get(filePath)); // TODO: limit file size that can be read into memory
                 HTMLParser htmlParser = new HTMLParser(resourceId, inPath, prefix, usePrefix, data);
-                htmlParser.setDocumentBaseUrl();
+                htmlParser.addAdditionalHeaderTags();
                 response.setContentType(context.getMimeType(filename));
                 response.setContentLength(htmlParser.getData().length);
                 response.getOutputStream().write(htmlParser.getData());