1
0
mirror of https://github.com/BookStackApp/BookStack.git synced 2024-10-30 07:32:39 +01:00

Added a couple of additional CSP rules

As per guidance from google's CSP evaluator.
This commit is contained in:
Dan Brown 2021-09-04 14:34:43 +01:00
parent 253f386f00
commit 492af79c27
No known key found for this signature in database
GPG Key ID: 46D9F943C24A2EF9
3 changed files with 40 additions and 0 deletions

View File

@ -38,6 +38,8 @@ class ApplyCspRules
$this->cspService->setFrameAncestors($response);
$this->cspService->setScriptSrc($response);
$this->cspService->setObjectSrc($response);
$this->cspService->setBaseUri($response);
return $response;
}

View File

@ -34,9 +34,12 @@ class CspService
}
$parts = [
'http:',
'https:',
'\'nonce-' . $this->nonce . '\'',
'\'strict-dynamic\'',
];
$value = 'script-src ' . implode(' ', $parts);
$response->headers->set('Content-Security-Policy', $value, false);
}
@ -62,6 +65,27 @@ class CspService
return count($this->getAllowedIframeHosts()) > 0;
}
/**
* Sets CSP 'object-src' headers to restrict the types of dynamic content
* that can be embedded on the page.
*/
public function setObjectSrc(Response $response)
{
if (config('app.allow_content_scripts')) {
return;
}
$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
}
/**
* Sets CSP 'base-uri' headers to restrict what base tags can be set on
* the page to prevent manipulation of relative links.
*/
public function setBaseUri(Response $response)
{
$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
}
protected function getAllowedIframeHosts(): array
{

View File

@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
$this->assertNotEmpty($scriptHeader);
}
public function test_object_src_csp_header_set()
{
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'object-src');
$this->assertEquals('object-src \'self\'', $scriptHeader);
}
public function test_base_uri_csp_header_set()
{
$resp = $this->get('/');
$scriptHeader = $this->getCspHeader($resp, 'base-uri');
$this->assertEquals('base-uri \'self\'', $scriptHeader);
}
/**
* Get the value of the first CSP header of the given type.
*/