Added a couple of additional CSP rules

As per guidance from google's CSP evaluator.
2024-11-26 10:13:38 +08:00 · 2021-09-04 14:34:43 +01:00 · 2021-09-04 14:34:43 +01:00 · 492af79c27
commit 492af79c27
parent 253f386f00
3 changed files with 40 additions and 0 deletions
--- a/app/Http/Middleware/ApplyCspRules.php
+++ b/app/Http/Middleware/ApplyCspRules.php
@ -38,6 +38,8 @@ class ApplyCspRules

        $this->cspService->setFrameAncestors($response);
        $this->cspService->setScriptSrc($response);
+        $this->cspService->setObjectSrc($response);
+        $this->cspService->setBaseUri($response);

        return $response;
    }
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@ -34,9 +34,12 @@ class CspService
        }

        $parts = [
+            'http:',
+            'https:',
            '\'nonce-' . $this->nonce . '\'',
            '\'strict-dynamic\'',
        ];
+
        $value = 'script-src ' . implode(' ', $parts);
        $response->headers->set('Content-Security-Policy', $value, false);
    }
@ -62,6 +65,27 @@ class CspService
        return count($this->getAllowedIframeHosts()) > 0;
    }

+    /**
+     * Sets CSP 'object-src' headers to restrict the types of dynamic content
+     * that can be embedded on the page.
+     */
+    public function setObjectSrc(Response $response)
+    {
+        if (config('app.allow_content_scripts')) {
+            return;
+        }
+
+        $response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
+    }
+
+    /**
+     * Sets CSP 'base-uri' headers to restrict what base tags can be set on
+     * the page to prevent manipulation of relative links.
+     */
+    public function setBaseUri(Response $response)
+    {
+        $response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
+    }

    protected function getAllowedIframeHosts(): array
    {
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
        $this->assertNotEmpty($scriptHeader);
    }

+    public function test_object_src_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'object-src');
+        $this->assertEquals('object-src \'self\'', $scriptHeader);
+    }
+
+    public function test_base_uri_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'base-uri');
+        $this->assertEquals('base-uri \'self\'', $scriptHeader);
+    }
+
    /**
     * Get the value of the first CSP header of the given type.
     */