jonny/jonnybarnes.uk
1
0
Fork 0
Code Issues 5 Pull requests Projects Releases 5 Packages Wiki Activity Actions

Merge pull request #1363 from jonnybarnes/develop

Browse source 
MTM Remove CSP header
This commit is contained in:
Jonny Barnes 2024-03-23 15:13:55 +00:00 committed by GitHub
commit 507bac08f2
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 0 additions and 142 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

74
app/Http/Kernel.php
View file

@ -1,74 +0,0 @@
<?php
namespace App\Http;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
class Kernel extends HttpKernel
{
/**
* The application's global HTTP middleware stack.
*
* These middleware are run during every request to your application.
*
* @var array<int, class-string|string>
*/
protected $middleware = [
// \App\Http\Middleware\TrustHosts::class,
\App\Http\Middleware\TrustProxies::class,
\Illuminate\Http\Middleware\HandleCors::class,
\App\Http\Middleware\PreventRequestsDuringMaintenance::class,
\Illuminate\Foundation\Http\Middleware\ValidatePostSize::class,
\App\Http\Middleware\TrimStrings::class,
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
];
/**
* The application's route middleware groups.
*
* @var array<string, array<int, class-string|string>>
*/
protected $middlewareGroups = [
'web' => [
\App\Http\Middleware\EncryptCookies::class,
\Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
\Illuminate\Session\Middleware\StartSession::class,
\Illuminate\View\Middleware\ShareErrorsFromSession::class,
\App\Http\Middleware\VerifyCsrfToken::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\App\Http\Middleware\LinkHeadersMiddleware::class,
\App\Http\Middleware\LocalhostSessionMiddleware::class,
\App\Http\Middleware\CSPHeader::class,
],
'api' => [
// \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
\Illuminate\Routing\Middleware\ThrottleRequests::class.':api',
\Illuminate\Routing\Middleware\SubstituteBindings::class,
],
];
/**
* The application's middleware aliases.
*
* Aliases may be used instead of class names to conveniently assign middleware to routes and groups.
*
* @var array<string, class-string|string>
*/
protected $middlewareAliases = [
'auth' => \App\Http\Middleware\Authenticate::class,
'auth.basic' => \Illuminate\Auth\Middleware\AuthenticateWithBasicAuth::class,
'auth.session' => \Illuminate\Session\Middleware\AuthenticateSession::class,
'cache.headers' => \Illuminate\Http\Middleware\SetCacheHeaders::class,
'can' => \Illuminate\Auth\Middleware\Authorize::class,
'guest' => \App\Http\Middleware\RedirectIfAuthenticated::class,
'password.confirm' => \Illuminate\Auth\Middleware\RequirePassword::class,
'precognitive' => \Illuminate\Foundation\Http\Middleware\HandlePrecognitiveRequests::class,
'signed' => \App\Http\Middleware\ValidateSignature::class,
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
'verified' => \Illuminate\Auth\Middleware\EnsureEmailIsVerified::class,
'micropub.token' => \App\Http\Middleware\VerifyMicropubToken::class,
'myauth' => \App\Http\Middleware\MyAuthMiddleware::class,
'cors' => \App\Http\Middleware\CorsHeaders::class,
];
}

48
app/Http/Middleware/CSPHeader.php
View file

@ -1,48 +0,0 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\App;
use Symfony\Component\HttpFoundation\Response;
class CSPHeader
{
/**
* Handle an incoming request.
*
* @psalm-suppress PossiblyUnusedMethod
*/
public function handle(Request $request, Closure $next): Response
{
if (App::environment('local', 'development')) {
return $next($request);
}
// headers have to be single-line strings,
// so we concat multiple lines
// phpcs:disable Generic.Files.LineLength.TooLong
return $next($request)
->header(
'Content-Security-Policy',
"default-src 'self'; " .
"style-src 'self' 'unsafe-inline' cloud.typography.com jonnybarnes.uk; " .
"img-src 'self' data: blob: https://pbs.twimg.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://jbuk-media-dev.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com https://*.4sqi.net https://upload.wikimedia.org https://mastodon.thebeeches.house; " .
"font-src 'self' data:; " .
"frame-src 'self' https://www.youtube.com blob:; " .
'upgrade-insecure-requests; ' .
'block-all-mixed-content; ' .
'report-to csp-endpoint; ' .
'report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;'
)->header(
'Report-To',
'{' .
"'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " .
"'group': 'csp-endpoint', " .
"'max-age': 10886400" .
'}'
);
// phpcs:enable Generic.Files.LineLength.TooLong
}
}

2
bootstrap/app.php
View file

@ -1,6 +1,5 @@
<?php
use App\Http\Middleware\CSPHeader;
use Illuminate\Foundation\Application;
use Illuminate\Foundation\Configuration\Exceptions;
use Illuminate\Foundation\Configuration\Middleware;
@ -19,7 +18,6 @@ return Application::configure(basePath: dirname(__DIR__))
'micropub/places',
'webmention',
]);
$middleware->append(CSPHeader::class);
})
->withExceptions(function (Exceptions $exceptions) {
//

18
tests/Feature/CSPHeadersTest.php
View file

@ -1,18 +0,0 @@
<?php
declare(strict_types=1);
namespace Tests\Feature;
use Tests\TestCase;
class CSPHeadersTest extends TestCase
{
/** @test */
public function checkCspHeadersArePresent(): void
{
$response = $this->get('/blog');
$response->assertHeader('Content-Security-Policy');
$response->assertHeader('Report-To');
}
}