From 91ac2e57c416bbdf95fa9242eaf8e5f9e118d5ba Mon Sep 17 00:00:00 2001 From: Jiaqing Zhao Date: Thu, 17 Mar 2022 00:18:58 +0800 Subject: [PATCH] Replace CSP plugin-types directive with object-src The HTTP Content-Security-Policy (CSP) plugin-types directive has been removed from the specification and is not supported by most browsers. Chrome browser suggests to specify "object-src 'none'" instead to block plugins, so replace it with that directive. Refer https://github.com/w3c/webappsec-csp/issues/394 for details about this change. Tested: * In Chrome 99.0.4844.74, it no longer gives errors about CSP plugin-types directive. * Checked neiter , or tags are used in eiter phosphor-webui or webui-vue. * Using webui-vue, KVM and SOL Console works. Change-Id: I79d7ed1de2c4d204bf040e7b32a7b6afe354862c Signed-off-by: Jiaqing Zhao --- include/security_headers.hpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/security_headers.hpp b/include/security_headers.hpp index 828a44c2a5..19075fbd73 100644 --- a/include/security_headers.hpp +++ b/include/security_headers.hpp @@ -35,7 +35,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "connect-src 'self' wss:; " "form-action 'none'; " "frame-ancestors 'none'; " - "plugin-types 'none'; " + "object-src 'none'; " "base-uri 'none' "); // The KVM currently needs to load images from base64 encoded // strings. img-src 'self' data: is used to allow that. @@ -54,7 +54,7 @@ inline void addSecurityHeaders(const crow::Request& req [[maybe_unused]], "connect-src *; " "form-action *; " "frame-ancestors *; " - "plugin-types *; " + "object-src *; " "base-uri *"); const std::string_view origin = req.getHeaderValue("Origin");