Started application of CSP headers

app/Http/Middleware/ApplyCspRules.php

@@ -0,0 +1,69 @@
+<?php
+
+namespace BookStack\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Illuminate\Support\Str;
+use Symfony\Component\HttpFoundation\Response;
+
+
+class ApplyCspRules
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param Request $request
+     * @param Closure $next
+     *
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+        $nonce = Str::random(24);
+        view()->share('cspNonce', $nonce);
+
+        // TODO - Assess whether image/style/iframe CSP rules should be set
+        // TODO - Extract nonce application to custom head content in a way that's cacheable.
+        // TODO - Fix remaining CSP issues and test lots
+
+        $response = $next($request);
+
+        $this->setFrameAncestors($response);
+        $this->setScriptSrc($response, $nonce);
+
+        return $response;
+    }
+
+    /**
+     * Sets CSP 'script-src' headers to restrict the forms of script that can
+     * run on the page.
+     */
+    public function setScriptSrc(Response $response, string $nonce)
+    {
+        $parts = [
+            '\'self\'',
+            '\'nonce-' . $nonce . '\'',
+            '\'strict-dynamic\'',
+        ];
+        $response->headers->set('Content-Security-Policy', 'script-src ' . implode(' ', $parts));
+    }
+
+    /**
+     * Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be
+     * iframed within. Also adjusts the cookie samesite options so that cookies will
+     * operate in the third-party context.
+     */
+    protected function setFrameAncestors(Response $response)
+    {
+        $iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();
+
+        if ($iframeHosts->count() > 0) {
+            config()->set('session.same_site', 'none');
+        }
+
+        $iframeHosts->prepend("'self'");
+        $cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');
+        $response->headers->set('Content-Security-Policy', $cspValue);
+    }
+}

app/Http/Middleware/ControlIframeSecurity.php

@@ -1,37 +0,0 @@
-<?php
-
-namespace BookStack\Http\Middleware;
-
-use Closure;
-
-/**
- * Sets CSP headers to restrict the hosts that BookStack can be
- * iframed within. Also adjusts the cookie samesite options
- * so that cookies will operate in the third-party context.
- */
-class ControlIframeSecurity
-{
-    /**
-     * Handle an incoming request.
-     *
-     * @param \Illuminate\Http\Request $request
-     * @param \Closure                 $next
-     *
-     * @return mixed
-     */
-    public function handle($request, Closure $next)
-    {
-        $iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();
-        if ($iframeHosts->count() > 0) {
-            config()->set('session.same_site', 'none');
-        }
-
-        $iframeHosts->prepend("'self'");
-
-        $response = $next($request);
-        $cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');
-        $response->headers->set('Content-Security-Policy', $cspValue);
-
-        return $response;
-    }
-}