From ed5d8c793dd9df64a6b7db1946807c391157d192 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Tue, 12 Jan 2016 10:25:05 +0100
Subject: [PATCH] dnsdist: Remove jsonp callback, add security HTTP headers

- Remove the jsonp callback, using simple json data instead (Fixes #3217)
We might need to add CORS if we want to be able to retrieve JSON
data from a webpage not stored on the embedded web server.
- Add several HTTP headers:
 * X-Content-Type-Options: no-sniff to prevent browsers from guessing MIME type
 * X-Frame-Options: deny to prevent clickjacking
 * X-Permitted-Cross-Domain-Policies: none to keep flash from crossing boundaries
 * X-XSS-Protection: 1; mode=block to mitigate XSS
 * Content-Security-Policy: default-src 'self'; img-src *; style-src 'self' 'unsafe-inline',
 a basic CSP policy to restrict which scripts and CSS can be loaded
---
 pdns/dnsdist-web.cc            | 16 +++++-----------
 pdns/dnsdistdist/html/local.js |  2 +-
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/pdns/dnsdist-web.cc b/pdns/dnsdist-web.cc
index e4c2f76cb5..ea9aa1df08 100644
--- a/pdns/dnsdist-web.cc
+++ b/pdns/dnsdist-web.cc
@@ -58,16 +58,14 @@ static void connectionThread(int sock, ComboAddress remote, string password)
 
     string command=req.getvars["command"];
 
-    string callback;
-
-    if(req.getvars.count("callback")) {
-      callback=req.getvars["callback"];
-      req.getvars.erase("callback");
-    }
-
     req.getvars.erase("_"); // jQuery cache buster
 
     YaHTTP::Response resp(req);
+    resp.headers["X-Content-Type-Options"] = "nosniff";
+    resp.headers["X-Frame-Options"] = "deny";
+    resp.headers["X-Permitted-Cross-Domain-Policies"] = "none";
+    resp.headers["X-XSS-Protection"] = "1; mode=block";
+    resp.headers["Content-Security-Policy"] = "default-src 'self'; img-src *; style-src 'self' 'unsafe-inline'";
 
     if (!compareAuthorization(req, password)) {
       errlog("HTTP Request \"%s\" from %s: Web Authentication failed", req.url.path, remote.toStringWithPort());
@@ -217,10 +215,6 @@ static void connectionThread(int sock, ComboAddress remote, string password)
       resp.status=404;
     }
 
-    if(!callback.empty()) {
-      resp.body = callback + "(" + resp.body + ");";
-    }
-
     std::ostringstream ofs;
     ofs << resp;
     string done;
diff --git a/pdns/dnsdistdist/html/local.js b/pdns/dnsdistdist/html/local.js
index 63f65477e2..22804d8530 100644
--- a/pdns/dnsdistdist/html/local.js
+++ b/pdns/dnsdistdist/html/local.js
@@ -142,7 +142,7 @@ $(document).ready(function() {
         $.ajax({
             url: 'jsonstat?command=stats',
             type: 'GET',
-            dataType: 'jsonp',
+            jsonp: false,
             success: function(data, x, y) {
                 $("#questions").text(data["queries"]);
                 $("#acl-drops").text(data["acl-drops"]);
-- 
2.47.2