diff options
| author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2022-09-08 14:49:38 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-08 14:49:38 +0200 |
| commit | 3936430fbc2838bba4fa37087b409361cd1442bc (patch) | |
| tree | 1c3b90dc869f86af8ff73eeeb66f9355610c4a88 /vespalib | |
| parent | c0e76c87d2780bbaa68e9210a3a31434208e9d84 (diff) | |
| parent | c06ed71b42e3995627ba854c7cf0bfae3c56bd0b (diff) | |
Merge pull request #23980 from vespa-engine/vekterli/add-status-page-frame-ancestors-csp
Add frame-ancestors: 'none' to CSP headers returned by internal server
Diffstat (limited to 'vespalib')
| -rw-r--r-- | vespalib/src/tests/portal/portal_test.cpp | 2 | ||||
| -rw-r--r-- | vespalib/src/tests/state_server/state_server_test.cpp | 2 | ||||
| -rw-r--r-- | vespalib/src/vespa/vespalib/portal/http_connection.cpp | 5 |
3 files changed, 5 insertions, 4 deletions
diff --git a/vespalib/src/tests/portal/portal_test.cpp b/vespalib/src/tests/portal/portal_test.cpp index 2e68e7033db..979b1284700 100644 --- a/vespalib/src/tests/portal/portal_test.cpp +++ b/vespalib/src/tests/portal/portal_test.cpp @@ -52,7 +52,7 @@ vespalib::string make_expected_response(const vespalib::string &content_type, co "Content-Length: %zu\r\n" "X-XSS-Protection: 1; mode=block\r\n" "X-Frame-Options: DENY\r\n" - "Content-Security-Policy: default-src 'none'\r\n" + "Content-Security-Policy: default-src 'none'; frame-ancestors 'none'\r\n" "X-Content-Type-Options: nosniff\r\n" "Cache-Control: no-store\r\n" "Pragma: no-cache\r\n" diff --git a/vespalib/src/tests/state_server/state_server_test.cpp b/vespalib/src/tests/state_server/state_server_test.cpp index f6e614f213a..2369e0dac66 100644 --- a/vespalib/src/tests/state_server/state_server_test.cpp +++ b/vespalib/src/tests/state_server/state_server_test.cpp @@ -85,7 +85,7 @@ TEST_FF("require that non-empty known url returns expected headers", DummyHandle "Content-Length: 5\r\n" "X-XSS-Protection: 1; mode=block\r\n" "X-Frame-Options: DENY\r\n" - "Content-Security-Policy: default-src 'none'\r\n" + "Content-Security-Policy: default-src 'none'; frame-ancestors 'none'\r\n" "X-Content-Type-Options: nosniff\r\n" "Cache-Control: no-store\r\n" "Pragma: no-cache\r\n" diff --git a/vespalib/src/vespa/vespalib/portal/http_connection.cpp b/vespalib/src/vespa/vespalib/portal/http_connection.cpp index 2c2a36c1529..6ea56e2659c 100644 --- a/vespalib/src/vespa/vespalib/portal/http_connection.cpp +++ b/vespalib/src/vespa/vespalib/portal/http_connection.cpp @@ -103,8 +103,9 @@ void emit_http_security_headers(OutputWriter &dst) { // Do not allow embedding via iframe (clickjacking prevention) dst.printf("X-Frame-Options: DENY\r\n"); // Do not allow _anything_ to be externally loaded, nor inline scripts - // etc to be executed. - dst.printf("Content-Security-Policy: default-src 'none'\r\n"); + // etc. to be executed. + // "frame-ancestors: none" is analogous to X-Frame-Options: DENY. + dst.printf("Content-Security-Policy: default-src 'none'; frame-ancestors 'none'\r\n"); // No heuristic auto-inference of content-type based on payload. dst.printf("X-Content-Type-Options: nosniff\r\n"); // Don't store any potentially sensitive data in any caches. |