AlphaX/qortal
1
0
Fork 0
forked from Qortal/qortal
Code Issues Pull Requests Projects Releases Wiki Activity

Restrict websites to same origin requests only, using a Content-Security-Policy meta tag.

Browse Source
This commit is contained in:
CalDescent 2022-01-16 20:52:30 +00:00
parent 6f80a6c08a
commit 01c6149422
2 changed files with 7 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/org/qortal/api/HTMLParser.java
View File

@ -19,14 +19,19 @@ public class HTMLParser {
this.data = data; this.data = data;
} }
public void setDocumentBaseUrl() { public void addAdditionalHeaderTags() {
String fileContents = new String(data); String fileContents = new String(data);
Document document = Jsoup.parse(fileContents); Document document = Jsoup.parse(fileContents);
String baseUrl = this.linkPrefix + "/"; String baseUrl = this.linkPrefix + "/";
Elements head = document.getElementsByTag("head"); Elements head = document.getElementsByTag("head");
if (!head.isEmpty()) { if (!head.isEmpty()) {
// Add base href tag
String baseElement = String.format("<base href=\"%s\">", baseUrl); String baseElement = String.format("<base href=\"%s\">", baseUrl);
head.get(0).prepend(baseElement); head.get(0).prepend(baseElement);
// Add security policy tag
String securityPolicy = String.format("<meta http-equiv=\"Content-Security-Policy\" content=\"connect-src 'self'\">");
head.get(0).prepend(securityPolicy);
} }
String html = document.html(); String html = document.html();
this.data = html.getBytes(); this.data = html.getBytes();

3
src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
View File

@ -9,7 +9,6 @@ import org.qortal.arbitrary.ArbitraryDataFile.*;
import org.qortal.arbitrary.exception.MissingDataException; import org.qortal.arbitrary.exception.MissingDataException;
import org.qortal.arbitrary.misc.Service; import org.qortal.arbitrary.misc.Service;
import org.qortal.controller.Controller; import org.qortal.controller.Controller;
import org.qortal.repository.DataException;
import org.qortal.settings.Settings; import org.qortal.settings.Settings;
import javax.servlet.ServletContext; import javax.servlet.ServletContext;
@ -119,7 +118,7 @@ public class ArbitraryDataRenderer {
// HTML file - needs to be parsed // HTML file - needs to be parsed
byte[] data = Files.readAllBytes(Paths.get(filePath)); // TODO: limit file size that can be read into memory byte[] data = Files.readAllBytes(Paths.get(filePath)); // TODO: limit file size that can be read into memory
HTMLParser htmlParser = new HTMLParser(resourceId, inPath, prefix, usePrefix, data); HTMLParser htmlParser = new HTMLParser(resourceId, inPath, prefix, usePrefix, data);
htmlParser.setDocumentBaseUrl(); htmlParser.addAdditionalHeaderTags();
response.setContentType(context.getMimeType(filename)); response.setContentType(context.getMimeType(filename));
response.setContentLength(htmlParser.getData().length); response.setContentLength(htmlParser.getData().length);
response.getOutputStream().write(htmlParser.getData()); response.getOutputStream().write(htmlParser.getData());