From 8604450abfab30e120915cc0b7c8e452783f46b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnter=20Obiltschnig?= Date: Mon, 8 Jun 2020 15:11:52 +0200 Subject: [PATCH] OSP/Web: added support for X-Frame-Options header --- platform/OSP/Web/doc/01000-OSPWeb.page | 6 +++++- platform/OSP/Web/src/WebBundleActivator.cpp | 9 ++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/platform/OSP/Web/doc/01000-OSPWeb.page b/platform/OSP/Web/doc/01000-OSPWeb.page index 702ddea58..9dd4e5ae0 100644 --- a/platform/OSP/Web/doc/01000-OSPWeb.page +++ b/platform/OSP/Web/doc/01000-OSPWeb.page @@ -381,7 +381,11 @@ The web server can be configured by setting the following properties in the glob - <[osp.web.xssProtection.mode]>: Specifies the <[mode]> parameter for the <[X-XSS-Protection]> header and defaults to "block". - <[osp.web.contentTypeOptions]>: Specifies the value of the <[X-Content-Type-Options]> header sent with - every HTTP response. Defaults to <[nosniff]>. + every HTTP response. Defaults to <[nosniff]>. Can be set to an empty string to disable + this header, which is not recommended. + - <[osp.web.frameOptions]>: Specivies the value of the <[X-Frame-Options]> header sent with every + HTTP response. Defaults to none (no <[X-Frame-Options]> header sent). Valid values are + <[DENY]> and <[SAMEORIGIN]>. - <[osp.web.addAuthHeader]>: If set to true (default), and authentication/authorization has been enabled for a resource and has been successful, a header named "X-OSP-Authorized-User" containing the authenticated and authorized username is added to the Poco::Net::HTTPRequest, for use diff --git a/platform/OSP/Web/src/WebBundleActivator.cpp b/platform/OSP/Web/src/WebBundleActivator.cpp index bcd5763a2..1216d0bdf 100644 --- a/platform/OSP/Web/src/WebBundleActivator.cpp +++ b/platform/OSP/Web/src/WebBundleActivator.cpp @@ -22,6 +22,7 @@ #include "Poco/OSP/Web/WebServerExtensionPoint.h" #include "Poco/OSP/Web/WebFilterExtensionPoint.h" #include "Poco/StringTokenizer.h" +#include "Poco/String.h" #include "Poco/Format.h" #include "Poco/AutoPtr.h" #include "Poco/Delegate.h" @@ -92,6 +93,7 @@ class WebBundleActivator: public BundleActivator bool xssProtEnable(pContext->thisBundle()->properties().getBool("xssProtection.enable", false)); std::string xssProtMode(pContext->thisBundle()->properties().getString("xssProtection.mode", "block")); std::string contentTypeOptions(pContext->thisBundle()->properties().getString("contentTypeOptions", "nosniff")); + std::string frameOptions(pContext->thisBundle()->properties().getString("frameOptions", "")); bool addAuthHeader(pContext->thisBundle()->properties().getBool("addAuthHeader", true)); bool addSignature(pContext->thisBundle()->properties().getBool("addSignature", true)); int authMethods = 0; @@ -119,6 +121,7 @@ class WebBundleActivator: public BundleActivator xssProtEnable = pPrefsSvc->configuration()->getBool("osp.web.xssProtection.enable", xssProtEnable); xssProtMode = pPrefsSvc->configuration()->getString("osp.web.xssProtection.mode", xssProtMode); contentTypeOptions = pPrefsSvc->configuration()->getString("osp.web.contentTypeOptions", contentTypeOptions); + frameOptions = pPrefsSvc->configuration()->getString("osp.web.frameOptions", frameOptions); addAuthHeader = pPrefsSvc->configuration()->getBool("osp.web.addAuthHeader", addAuthHeader); addSignature = pPrefsSvc->configuration()->getBool("osp.web.addSignature", addSignature); authMethods = WebServerDispatcher::parseAuthMethods(pPrefsSvc->configuration()->getString("osp.web.authMethods", "")); @@ -131,7 +134,7 @@ class WebBundleActivator: public BundleActivator Poco::Net::NameValueCollection customResponseHeaders; if (hstsEnable) { - std::string hstsHeader(Poco::format("maxAge=%d", hstsMaxAge)); + std::string hstsHeader(Poco::format("max-age=%d", hstsMaxAge)); if (hstsIncludeSubdomains) hstsHeader += "; includeSubdomains"; customResponseHeaders.add("Strict-Transport-Security", hstsHeader); } @@ -143,6 +146,10 @@ class WebBundleActivator: public BundleActivator { customResponseHeaders.add("X-Content-Type-Options", contentTypeOptions); } + if (!frameOptions.empty()) + { + customResponseHeaders.add("X-Frame-Options", Poco::toUpper(frameOptions)); + } WebServerDispatcher::Config config; config.pContext = pContext;