wsd/FileServer.cpp | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-)
New commits: commit 624fc5c5de03c730ce31fa07126097d688725d81 Author: Pranav Kant <[email protected]> Date: Mon May 8 15:26:16 2017 +0530 wsd: Use HTTP Referer and then WOPISrc for frame ancestor This is required in those setup where the document is not served from the same host user is currently connected to. Use the Referer[sic] header to set the frame ancestors and if they are absent, fallback to WOPISrc value provided by the WOPI host. Change-Id: Ia63a213d10aca2df56a2884e07322c1cd8056ff8 diff --git a/wsd/FileServer.cpp b/wsd/FileServer.cpp index ac4be4c6..7d7dba3e 100644 --- a/wsd/FileServer.cpp +++ b/wsd/FileServer.cpp @@ -394,17 +394,33 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: { const auto host = ((LOOLWSD::isSSLEnabled() || LOOLWSD::isSSLTermination()) ? "wss://" : "ws://") + (LOOLWSD::ServerName.empty() ? request.getHost() : LOOLWSD::ServerName); const auto params = Poco::URI(request.getURI()).getQueryParameters(); - std::string wopiDomain; - for (const auto& param : params) + std::string frameAncestor; + const auto it = request.find("Referer"); // Referer[sic] + if (it != request.end()) { - if (param.first == "WOPISrc") + frameAncestor = it->second; + LOG_TRC("Picking frame ancestor from HTTP Referer header: " << frameAncestor); + } + else // Use WOPISrc value if Referer is absent + { + for (const auto& param : params) { - std::string wopiHost; - Poco::URI::decode(param.second, wopiHost); - wopiDomain = Poco::URI(wopiHost).getScheme() + "://" + Poco::URI(wopiHost).getHost(); + if (param.first == "WOPISrc") + { + Poco::URI::decode(param.second, frameAncestor); + LOG_TRC("Picking frame ancestor from WOPISrc: " << frameAncestor); + break; + } } } + // Keep only the origin, reject everything else + if (!Poco::URI(frameAncestor).getScheme().empty() && !Poco::URI(frameAncestor).getHost().empty()) + { + frameAncestor = Poco::URI(frameAncestor).getScheme() + "://" + Poco::URI(frameAncestor).getHost(); + LOG_TRC("Final frame ancestor: " << frameAncestor); + } + // Is this a file we read at startup - if not; its not for serving. const std::string relPath = getRequestPathname(request); LOG_DBG("Preprocessing file: " << relPath); @@ -488,11 +504,11 @@ void FileServerRequestHandler::preprocessFile(const HTTPRequest& request, Poco:: << "style-src 'self' 'unsafe-inline'; " << "font-src 'self' data:; " << "img-src 'self' data:; "; - if (!wopiDomain.empty()) + if (!frameAncestor.empty()) { // Replaced by frame-ancestors in CSP but some oldies don't know about that - oss << "X-Frame-Options: allow-from " << wopiDomain << "\r\n"; - cspOss << "frame-ancestors " << wopiDomain; + oss << "X-Frame-Options: allow-from " << frameAncestor << "\r\n"; + cspOss << "frame-ancestors " << frameAncestor; } else { _______________________________________________ Libreoffice-commits mailing list [email protected] https://lists.freedesktop.org/mailman/listinfo/libreoffice-commits
