set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header

This commit is contained in:
El RIDO 2022-03-13 17:24:47 +01:00
parent 1807580226
commit 6c1f0dde0c
No known key found for this signature in database
GPG key ID: 0F5C940A6BD81F92
5 changed files with 15 additions and 0 deletions

View file

@ -9,6 +9,7 @@
* ADDED: Google Cloud Storage backend support (#795)
* ADDED: Oracle database support (#868)
* ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
* ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
* CHANGED: Language selection cookie only transmitted over HTTPS (#472)
* CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
* CHANGED: Removed automatic `.ini` configuration file migration (#808)

View file

@ -364,6 +364,16 @@ class Controller
setcookie('lang', $languageselection, 0, '', '', true);
}
// strip policies that are unsupported in meta tag
$metacspheader = str_replace(
array(
'frame-ancestors \'none\'; ',
'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
),
'',
$this->_conf->getKey('cspheader')
);
$page = new View;
$page->assign('NAME', $this->_conf->getKey('name'));
$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
@ -392,6 +402,7 @@ class Controller
$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
$page->assign('CSPHEADER', $metacspheader);
$page->draw($this->_conf->getKey('template'));
}

View file

@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
<html lang="<?php echo I18n::_('en'); ?>">
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<meta name="robots" content="noindex" />

View file

@ -4,6 +4,7 @@ use PrivateBin\I18n;
<html lang="<?php echo I18n::_('en'); ?>">
<head>
<meta charset="utf-8" />
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
<meta name="robots" content="noindex" />
<meta name="google" content="notranslate">
<title><?php echo I18n::_($NAME); ?></title>

View file

@ -60,6 +60,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
$page->assign('HTTPWARNING', true);
$page->assign('HTTPSLINK', 'https://example.com/');
$page->assign('COMPRESSION', 'zlib');
$page->assign('CSPHEADER', 'default-src \'none\'');
$dir = dir(PATH . 'tpl');
while (false !== ($file = $dir->read())) {