IntenseFinance/firefly-iii
3
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-02-25 18:45:27 -06:00
Code Issues Packages Projects Releases Wiki Activity

Improve config of CSP headers.

Browse Source
This commit is contained in:
James Cole
2020-01-11 05:28:20 +01:00
parent 97dffaa8a9
commit c55bfc0b8c
3 changed files with 45 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
.env.example
View File

@@ -161,9 +161,16 @@ WINDOWS_SSO_KEY=AUTH_USER
ADLDAP_SYNC_FIELD=userprincipalname ADLDAP_SYNC_FIELD=userprincipalname
# You can disable the X-Frame-Options header if it interferes with tools like # You can disable the X-Frame-Options header if it interferes with tools like
# Organizr. This is at your own risk. # Organizr. This is at your own risk. Applications running in frames run the risk
# of leaking information to their parent frame.
DISABLE_FRAME_HEADER=false DISABLE_FRAME_HEADER=false
# You can disable the Content Security Policy header when you're using an ancient browser
# or any version of Microsoft Edge / Internet Explorer (which amounts to the same thing really)
# This leaves you with the risk of not being able to stop XSS bugs should they ever surface.
# This is at your own risk.
DISABLE_CSP_HEADER=false
# You can fine tune the start-up of a Docker container by editing these environment variables. # You can fine tune the start-up of a Docker container by editing these environment variables.
# Use this at your own risk. Disabling certain checks and features may result in lost of inconsistent data. # Use this at your own risk. Disabling certain checks and features may result in lost of inconsistent data.
# However if you know what you're doing you can significantly speed up container start times. # However if you know what you're doing you can significantly speed up container start times.

53
app/Http/Middleware/SecureHeaders.php
View File

@@ -25,7 +25,6 @@ namespace FireflyIII\Http\Middleware;
use Closure; use Closure;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Illuminate\Support\Str;
/** /**
* *
@@ -44,27 +43,22 @@ class SecureHeaders
*/ */
public function handle(Request $request, Closure $next) public function handle(Request $request, Closure $next)
{ {
// generate and share nonce.
$nonce = base64_encode(random_bytes(16)); $nonce = base64_encode(random_bytes(16));
app('view')->share('JS_NONCE', $nonce); app('view')->share('JS_NONCE', $nonce);
$response = $next($request); $response = $next($request);
$google = ''; $googleScriptSrc = $this->getGoogleScriptSource();
$googleImg = ''; $googleImgSrc = $this->getGoogleImgSource();
$analyticsId = config('firefly.analytics_id'); $csp = [
if ('' !== $analyticsId) {
$google = 'https://www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js'; // @codeCoverageIgnore
$googleImg = 'https://www.google-analytics.com/';
}
$csp = [
"default-src 'none'", "default-src 'none'",
"object-src 'self'", "object-src 'self'",
sprintf("script-src 'unsafe-inline' %s 'nonce-%s'", $nonce, $google), sprintf("script-src 'unsafe-inline' %s 'nonce-%s'", $googleScriptSrc, $nonce),
"style-src 'self' 'unsafe-inline'", "style-src 'self' 'unsafe-inline'",
"base-uri 'self'", "base-uri 'self'",
"font-src 'self' data:", "font-src 'self' data:",
"connect-src 'self'", "connect-src 'self'",
sprintf("img-src 'self' data: https://api.tiles.mapbox.com %s", $googleImg), sprintf("img-src 'self' data: https://api.tiles.mapbox.com %s", $googleImgSrc),
"manifest-src 'self'", "manifest-src 'self'",
]; ];
@@ -90,12 +84,11 @@ class SecureHeaders
]; ];
$disableFrameHeader = config('firefly.disable_frame_header'); $disableFrameHeader = config('firefly.disable_frame_header');
if (false === $disableFrameHeader || null === $disableFrameHeader) { $disableCSP = config('firefly.disable_csp_header');
if (false === $disableFrameHeader) {
$response->header('X-Frame-Options', 'deny'); $response->header('X-Frame-Options', 'deny');
} }
if (false === $disableCSP && !$response->headers->has('Content-Security-Policy')) {
// content security policy may be set elsewhere.
if (!$response->headers->has('Content-Security-Policy')) {
$response->header('Content-Security-Policy', implode('; ', $csp)); $response->header('Content-Security-Policy', implode('; ', $csp));
} }
$response->header('X-XSS-Protection', '1; mode=block'); $response->header('X-XSS-Protection', '1; mode=block');
@@ -105,4 +98,30 @@ class SecureHeaders
return $response; return $response;
} }
/**
* @return string
*/
private function getGoogleImgSource(): string
{
if ('' !== config('firefly.analytics_id')) {
return 'https://www.google-analytics.com/';
}
return '';
}
/**
* Return part of a CSP header allowing scripts from Google.
*
* @return string
*/
private function getGoogleScriptSource(): string
{
if ('' !== config('firefly.analytics_id')) {
return 'https://www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js';
}
return '';
}
} }

1
config/firefly.php
View File

@@ -154,6 +154,7 @@ return [
'send_report_journals' => envNonEmpty('SEND_REPORT_JOURNALS', true), 'send_report_journals' => envNonEmpty('SEND_REPORT_JOURNALS', true),
'analytics_id' => env('ANALYTICS_ID', ''), 'analytics_id' => env('ANALYTICS_ID', ''),
'disable_frame_header' => env('DISABLE_FRAME_HEADER', false), 'disable_frame_header' => env('DISABLE_FRAME_HEADER', false),
'disable_csp_header' => env('DISABLE_CSP_HEADER', false),
'login_provider' => envNonEmpty('LOGIN_PROVIDER', 'eloquent'), 'login_provider' => envNonEmpty('LOGIN_PROVIDER', 'eloquent'),
'cer_provider' => envNonEmpty('CER_PROVIDER', 'fixer'), 'cer_provider' => envNonEmpty('CER_PROVIDER', 'fixer'),
'update_endpoint' => 'https://version.firefly-iii.org/index.json', 'update_endpoint' => 'https://version.firefly-iii.org/index.json',