aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src/sledjchisl
diff options
context:
space:
mode:
authoronefang2020-04-30 13:05:13 +1000
committeronefang2020-04-30 13:05:13 +1000
commitdcbb6f814470c8da8ba79fe39ae8827141a5fa9a (patch)
tree1fcfc5ed47b67e48384bbd0dc77b2d553cfb87a7 /src/sledjchisl
parentDon't fall over on NULL FCGI path. (diff)
downloadopensim-SC_OLD-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.zip
opensim-SC_OLD-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.gz
opensim-SC_OLD-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.bz2
opensim-SC_OLD-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.xz
Config option to allow other web sites to iFrame our pages.
Coz someone asked for it.
Diffstat (limited to 'src/sledjchisl')
-rw-r--r--src/sledjchisl/sledjchisl.c29
1 files changed, 27 insertions, 2 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 8e9108e..6bb9b48 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -446,6 +446,7 @@ char *Tcmd = "tmux -S";
446char *webRoot = "/var/www/html"; 446char *webRoot = "/var/www/html";
447char *URL = "fcgi-bin/sledjchisl.fcgi"; 447char *URL = "fcgi-bin/sledjchisl.fcgi";
448char *ToS = "Be good."; 448char *ToS = "Be good.";
449char *webIframers = "";
449int seshTimeOut = 30 * 60; 450int seshTimeOut = 30 * 60;
450int idleTimeOut = 24 * 60 * 60; 451int idleTimeOut = 24 * 60 * 60;
451int newbieTimeOut = 30; 452int newbieTimeOut = 30;
@@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated.
6305 if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);} 6306 if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);}
6306 if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);} 6307 if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);}
6307 if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);} 6308 if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);}
6309 if ((tmp = configs->getstr(configs, "webIframers", false)) != NULL) {webIframers = tmp; D("Setting webIframers = %s", webIframers);}
6308 6310
6309 6311
6310 // Use a FHS compatible setup - 6312 // Use a FHS compatible setup -
@@ -6675,9 +6677,32 @@ t("BODY");
6675 Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate"); 6677 Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate");
6676 Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache"); 6678 Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache");
6677 Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1"); 6679 Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1");
6678// Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'"); // This can get complex. 6680 Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000"); // Two years.
6681// TODO - do something about this -
6682 /* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
6683 "Note: Disallowing inline styles and inline scripts is one of
6684 the biggest security wins CSP provides. However, if you
6685 absolutely have to use it, there are a few mechanisms that
6686 will allow them."
6687
6688 WTF? And the mechanisms include nonces, hashes, or 'unsafe-inline'.
6689 Not sure why inline styles need to be that secure, when downloaded ones are not.
6690 Ah, it's for user input that is sent back to other users, they might include funky CSS in their input.
6691 SOOOO, proper validation and escaping is needed.
6692 OOOOR, use the nonce, and make it a different nonce per page serve.
6693 OOOOR, just put all the style stuff in a .css file. Then we can use style-src 'self' without the 'unsafe-inline'?
6694 There's only one block of <style in the header I think.
6695 */
6696 // Content-Security-Policy can get complex, and I first wrote that when it was very simple. lol
6697 if ('\0' != webIframers[0])
6698 Rd->Rheaders->putstrf(Rd->Rheaders, "Content-Security-Policy",
6699 "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self' %s", webIframers);
6700 else
6701 {
6702 Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'");
6703 Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN"); // This is deprecated, and is an all or nothing thing.
6704 }
6679 Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block"); 6705 Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block");
6680 Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");
6681 Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff"); 6706 Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff");
6682// Failed experiment, looks like JavaScript is the only way to change headers for the session ID. 6707// Failed experiment, looks like JavaScript is the only way to change headers for the session ID.
6683// Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar"); 6708// Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar");