From f35e2b4f15b1f7778633396fc94a731cee8ae047 Mon Sep 17 00:00:00 2001 From: Jonny Barnes Date: Fri, 2 Mar 2018 16:46:45 +0000 Subject: [PATCH] Add the CSP headers Squashed commit of the following: commit 468945826621d2e586f7e5fa773623c4accc316a Author: Jonny Barnes Date: Fri Mar 2 16:42:30 2018 +0000 Update changelog commit 36c6edce091c41861879a982e6ad250b395abbcf Author: Jonny Barnes Date: Fri Mar 2 16:42:23 2018 +0000 Add a test commit ef9d7b564f8ea4f4528c42f411c14ddfaa132082 Author: Jonny Barnes Date: Fri Mar 2 16:42:13 2018 +0000 Apply the CSPHeader middleware to all `web` requests commit 737bfca3a6b446d52c0d0a8cc1b7b1c422876c0b Author: Jonny Barnes Date: Fri Mar 2 16:41:45 2018 +0000 Add a CSP header to a response, as well as the Report-To header --- app/Http/Kernel.php | 1 + app/Http/Middleware/CSPHeader.php | 46 +++++++++++++++++++++++++++++++ changelog.md | 1 + tests/Feature/CSPHeadersTest.php | 16 +++++++++++ 4 files changed, 64 insertions(+) create mode 100644 app/Http/Middleware/CSPHeader.php create mode 100644 tests/Feature/CSPHeadersTest.php diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php index 3ef8070a..e4c35482 100644 --- a/app/Http/Kernel.php +++ b/app/Http/Kernel.php @@ -38,6 +38,7 @@ class Kernel extends HttpKernel \App\Http\Middleware\LinkHeadersMiddleware::class, \App\Http\Middleware\LocalhostSessionMiddleware::class, \App\Http\Middleware\ActivityStreamLinks::class, + \App\Http\Middleware\CSPHeader::class, ], 'api' => [ diff --git a/app/Http/Middleware/CSPHeader.php b/app/Http/Middleware/CSPHeader.php new file mode 100644 index 00000000..2be2823a --- /dev/null +++ b/app/Http/Middleware/CSPHeader.php @@ -0,0 +1,46 @@ +header( + 'Content-Security-Policy', + "default-src 'self'; " . + "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://api.mapbox.com https://analytics.jmb.lv blob:; " . + "style-src 'self' 'unsafe-inline' https://api.mapbox.com https://fonts.googleapis.com use.typekit.net p.typekit.net; " . + "img-src 'self' data: blob: https://pbs.twimg.com https://api.mapbox.com https://*.tiles.mapbox.com https://jbuk-media.s3-eu-west-1.amazonaws.com https://secure.gravatar.com https://graph.facebook.com *.fbcdn.net https://*.cdninstagram.com analytics.jmb.lv https://*.4sqi.net https://upload.wikimedia.org p.typekit.net; " . + "font-src 'self' https://fonts.gstatic.com use.typekit.net fonts.typekit.net; " . + "connect-src 'self' https://api.mapbox.com https://*.tiles.mapbox.com performance.typekit.net data: blob:; " . + "worker-src 'self' blob:; " . + "frame-src 'self' https://www.youtube.com blob:; " . + "child-src 'self' blob:; " . + "upgrade-insecure-requests; " . + "block-all-mixed-content; " . + "report-to csp-endpoint;" . + "report-uri https://jonnybarnes.report-uri.io/r/default/csp/enforce;" + ) + ->header( + 'Report-To', + "{" . + "'url': 'https://jonnybarnes.report-uri.io/r/default/csp/enforce', " . + "'group': 'csp-endpoint'," . + "'max-age': 10886400" . + "}" + ); + } +} diff --git a/changelog.md b/changelog.md index 721dd3fb..d0f35b8d 100644 --- a/changelog.md +++ b/changelog.md @@ -2,6 +2,7 @@ ## Version {next} - Add CORS headers as necessary in the Laravel app (as oppose to using nginx) + - Add CSP headers ## Version 0.16.1 (2018-02-17) - Fix issue where OwnYourSwarm requests include h-adr block for location diff --git a/tests/Feature/CSPHeadersTest.php b/tests/Feature/CSPHeadersTest.php new file mode 100644 index 00000000..1d558dbc --- /dev/null +++ b/tests/Feature/CSPHeadersTest.php @@ -0,0 +1,16 @@ +get('/'); + $response->assertHeader('Content-Security-Policy'); + $response->assertHeader('Report-To'); + } +}