mirror of
https://github.com/BookStackApp/BookStack.git
synced 2024-10-30 07:32:39 +01:00
Added a couple of additional CSP rules
As per guidance from google's CSP evaluator.
This commit is contained in:
parent
253f386f00
commit
492af79c27
@ -38,6 +38,8 @@ class ApplyCspRules
|
||||
|
||||
$this->cspService->setFrameAncestors($response);
|
||||
$this->cspService->setScriptSrc($response);
|
||||
$this->cspService->setObjectSrc($response);
|
||||
$this->cspService->setBaseUri($response);
|
||||
|
||||
return $response;
|
||||
}
|
||||
|
@ -34,9 +34,12 @@ class CspService
|
||||
}
|
||||
|
||||
$parts = [
|
||||
'http:',
|
||||
'https:',
|
||||
'\'nonce-' . $this->nonce . '\'',
|
||||
'\'strict-dynamic\'',
|
||||
];
|
||||
|
||||
$value = 'script-src ' . implode(' ', $parts);
|
||||
$response->headers->set('Content-Security-Policy', $value, false);
|
||||
}
|
||||
@ -62,6 +65,27 @@ class CspService
|
||||
return count($this->getAllowedIframeHosts()) > 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets CSP 'object-src' headers to restrict the types of dynamic content
|
||||
* that can be embedded on the page.
|
||||
*/
|
||||
public function setObjectSrc(Response $response)
|
||||
{
|
||||
if (config('app.allow_content_scripts')) {
|
||||
return;
|
||||
}
|
||||
|
||||
$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets CSP 'base-uri' headers to restrict what base tags can be set on
|
||||
* the page to prevent manipulation of relative links.
|
||||
*/
|
||||
public function setBaseUri(Response $response)
|
||||
{
|
||||
$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
|
||||
}
|
||||
|
||||
protected function getAllowedIframeHosts(): array
|
||||
{
|
||||
|
@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
|
||||
$this->assertNotEmpty($scriptHeader);
|
||||
}
|
||||
|
||||
public function test_object_src_csp_header_set()
|
||||
{
|
||||
$resp = $this->get('/');
|
||||
$scriptHeader = $this->getCspHeader($resp, 'object-src');
|
||||
$this->assertEquals('object-src \'self\'', $scriptHeader);
|
||||
}
|
||||
|
||||
public function test_base_uri_csp_header_set()
|
||||
{
|
||||
$resp = $this->get('/');
|
||||
$scriptHeader = $this->getCspHeader($resp, 'base-uri');
|
||||
$this->assertEquals('base-uri \'self\'', $scriptHeader);
|
||||
}
|
||||
|
||||
/**
|
||||
* Get the value of the first CSP header of the given type.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user