BookStack/app/Http/Middleware/ApplyCspRules.php

<?php

namespace BookStack\Http\Middleware;

use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Str;
use Symfony\Component\HttpFoundation\Response;


class ApplyCspRules
{
    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure $next
     *
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $nonce = Str::random(24);
        view()->share('cspNonce', $nonce);

        // TODO - Assess whether image/style/iframe CSP rules should be set
        // TODO - Extract nonce application to custom head content in a way that's cacheable.
        // TODO - Fix remaining CSP issues and test lots

        $response = $next($request);

        $this->setFrameAncestors($response);
        $this->setScriptSrc($response, $nonce);

        return $response;
    }

    /**
     * Sets CSP 'script-src' headers to restrict the forms of script that can
     * run on the page.
     */
    public function setScriptSrc(Response $response, string $nonce)
    {
        $parts = [
            '\'self\'',
            '\'nonce-' . $nonce . '\'',
            '\'strict-dynamic\'',
        ];
        $response->headers->set('Content-Security-Policy', 'script-src ' . implode(' ', $parts));
    }

    /**
     * Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be
     * iframed within. Also adjusts the cookie samesite options so that cookies will
     * operate in the third-party context.
     */
    protected function setFrameAncestors(Response $response)
    {
        $iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();

        if ($iframeHosts->count() > 0) {
            config()->set('session.same_site', 'none');
        }

        $iframeHosts->prepend("'self'");
        $cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');
        $response->headers->set('Content-Security-Policy', $cspValue);
    }
}
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`<?php`

			`namespace BookStack\Http\Middleware;`

			`use Closure;`
			`use Illuminate\Http\Request;`
			`use Illuminate\Support\Str;`
			`use Symfony\Component\HttpFoundation\Response;`


			`class ApplyCspRules`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param Request $request`
			`* @param Closure $next`
			`*`
			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
			`$nonce = Str::random(24);`
			`view()->share('cspNonce', $nonce);`

			`// TODO - Assess whether image/style/iframe CSP rules should be set`
			`// TODO - Extract nonce application to custom head content in a way that's cacheable.`
			`// TODO - Fix remaining CSP issues and test lots`

			`$response = $next($request);`

			`$this->setFrameAncestors($response);`
			`$this->setScriptSrc($response, $nonce);`

			`return $response;`
			`}`

			`/**`
			`* Sets CSP 'script-src' headers to restrict the forms of script that can`
			`* run on the page.`
			`*/`
			`public function setScriptSrc(Response $response, string $nonce)`
			`{`
			`$parts = [`
			`'\'self\'',`
			`'\'nonce-' . $nonce . '\'',`
			`'\'strict-dynamic\'',`
			`];`
			`$response->headers->set('Content-Security-Policy', 'script-src ' . implode(' ', $parts));`
			`}`

			`/**`
			`* Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be`
			`* iframed within. Also adjusts the cookie samesite options so that cookies will`
			`* operate in the third-party context.`
			`*/`
			`protected function setFrameAncestors(Response $response)`
			`{`
			`$iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();`

			`if ($iframeHosts->count() > 0) {`
			`config()->set('session.same_site', 'none');`
			`}`

			`$iframeHosts->prepend("'self'");`
			`$cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');`
			`$response->headers->set('Content-Security-Policy', $cspValue);`
			`}`
			`}`