webapp/bookstack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2025-11-03 02:13:16 +03:00
Code Activity

Added a couple of additional CSP rules

Browse Source 
As per guidance from google's CSP evaluator.
This commit is contained in:
Dan Brown
2021-09-04 14:34:43 +01:00
parent 253f386f00
commit 492af79c27
3 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
app/Http/Middleware/ApplyCspRules.php
View File

@@ -38,6 +38,8 @@ class ApplyCspRules
$this->cspService->setFrameAncestors($response); $this->cspService->setFrameAncestors($response);
$this->cspService->setScriptSrc($response); $this->cspService->setScriptSrc($response);
$this->cspService->setObjectSrc($response);
$this->cspService->setBaseUri($response);
return $response; return $response;
} }

24
app/Util/CspService.php
View File

@@ -34,9 +34,12 @@ class CspService
} }
$parts = [ $parts = [
'http:',
'https:',
'\'nonce-' . $this->nonce . '\'', '\'nonce-' . $this->nonce . '\'',
'\'strict-dynamic\'', '\'strict-dynamic\'',
]; ];
$value = 'script-src ' . implode(' ', $parts); $value = 'script-src ' . implode(' ', $parts);
$response->headers->set('Content-Security-Policy', $value, false); $response->headers->set('Content-Security-Policy', $value, false);
} }
@@ -62,6 +65,27 @@ class CspService
return count($this->getAllowedIframeHosts()) > 0; return count($this->getAllowedIframeHosts()) > 0;
} }
/**
* Sets CSP 'object-src' headers to restrict the types of dynamic content
* that can be embedded on the page.
*/
public function setObjectSrc(Response $response)
{
if (config('app.allow_content_scripts')) {
return;
}
$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
}
/**
* Sets CSP 'base-uri' headers to restrict what base tags can be set on
* the page to prevent manipulation of relative links.
*/
public function setBaseUri(Response $response)
{
$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
}
protected function getAllowedIframeHosts(): array protected function getAllowedIframeHosts(): array
{ {

14
tests/SecurityHeaderTest.php
View File

@@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
$this->assertNotEmpty($scriptHeader); $this->assertNotEmpty($scriptHeader);
} }
public function test_object_src_csp_header_set()
{
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'object-src');
$this->assertEquals('object-src \'self\'', $scriptHeader);
}
public function test_base_uri_csp_header_set()
{
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'base-uri');
$this->assertEquals('base-uri \'self\'', $scriptHeader);
}
/** /**
* Get the value of the first CSP header of the given type. * Get the value of the first CSP header of the given type.
*/ */