AlphaX/qortal
1
0
Fork 0
forked from Qortal/qortal
Code Issues Pull Requests Projects Releases Wiki Activity

Use a header instead of a meta tag for Content-Security-Policy, because we can't guarantee that we are parsing all HTML files.

Browse Source 
Also use default-src instead of connect-src, as we want to block all external requests.
This commit is contained in:
CalDescent 2022-01-17 20:04:35 +00:00
parent 01c6149422
commit cfc80cb9b0
2 changed files with 2 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/main/java/org/qortal/api/HTMLParser.java
View File

@ -28,10 +28,6 @@ public class HTMLParser {
// Add base href tag
String baseElement = String.format("<base href=\"%s\">", baseUrl);
head.get(0).prepend(baseElement);
// Add security policy tag
String securityPolicy = String.format("<meta http-equiv=\"Content-Security-Policy\" content=\"connect-src 'self'\">");
head.get(0).prepend(securityPolicy);
}
String html = document.html();
this.data = html.getBytes();

2
src/main/java/org/qortal/arbitrary/ArbitraryDataRenderer.java
View File

@ -119,6 +119,7 @@ public class ArbitraryDataRenderer {
byte[] data = Files.readAllBytes(Paths.get(filePath)); // TODO: limit file size that can be read into memory
HTMLParser htmlParser = new HTMLParser(resourceId, inPath, prefix, usePrefix, data);
htmlParser.addAdditionalHeaderTags();
response.addHeader("Content-Security-Policy", "default-src 'self'");
response.setContentType(context.getMimeType(filename));
response.setContentLength(htmlParser.getData().length);
response.getOutputStream().write(htmlParser.getData());
@ -127,6 +128,7 @@ public class ArbitraryDataRenderer {
// Regular file - can be streamed directly
File file = new File(filePath);
FileInputStream inputStream = new FileInputStream(file);
response.addHeader("Content-Security-Policy", "default-src 'self'");
response.setContentType(context.getMimeType(filename));
int bytesRead, length = 0;
byte[] buffer = new byte[10240];