From e349c1057bda9872c69a97f357604964bae2c921 Mon Sep 17 00:00:00 2001
From: Bubka <858858+Bubka@users.noreply.github.com>
Date: Tue, 19 Nov 2024 12:47:37 +0100
Subject: [PATCH] Fix & Enable back CSP - Fixes #417
---
.env.example | 2 +-
Dockerfile | 2 +-
.../AddContentSecurityPolicyHeaders.php | 23 ++++++++++++++-----
config/2fauth.php | 2 +-
resources/views/landing.blade.php | 2 +-
5 files changed, 21 insertions(+), 10 deletions(-)
diff --git a/.env.example b/.env.example
index b9a56ada..3affa391 100644
--- a/.env.example
+++ b/.env.example
@@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
# an attacker is able to inject malicious code into the web app
-CONTENT_SECURITY_POLICY=false
+CONTENT_SECURITY_POLICY=true
# Leave the following configuration vars as is.
diff --git a/Dockerfile b/Dockerfile
index 77214c26..7619506d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -242,7 +242,7 @@ ENV \
# CSP helps to prevent or minimize the risk of certain types of security threats.
# This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
# an attacker is able to inject malicious code into the web app
- CONTENT_SECURITY_POLICY=false \
+ CONTENT_SECURITY_POLICY=true \
# Leave the following configuration vars as is.
# Unless you like to tinker and know what you're doing.
BROADCAST_DRIVER=log \
diff --git a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
index 0fa54d74..7ef78c19 100644
--- a/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
+++ b/app/Http/Middleware/AddContentSecurityPolicyHeaders.php
@@ -16,13 +16,24 @@ class AddContentSecurityPolicyHeaders
*/
public function handle(Request $request, Closure $next) : Response
{
- // if (config('2fauth.config.contentSecurityPolicy')) {
- // Vite::useCspNonce();
+ if (config('2fauth.config.contentSecurityPolicy')) {
+ Vite::useCspNonce();
- // return $next($request)->withHeaders([
- // 'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
- // ]);
- // }
+ $assetUrl = config('app.asset_url') != config('app.url') ? config('app.asset_url') : '';
+
+ $directives['script-src'] = "script-src 'nonce-" . Vite::cspNonce() . "' " . $assetUrl . ";";
+ $directives['script-src-elem'] = "script-src-elem 'nonce-" . Vite::cspNonce() . "' " . $assetUrl . " 'strict-dynamic';";
+ $directives['style-src'] = "style-src 'self' " . $assetUrl . " 'unsafe-inline';";
+ $directives['connect-src'] = "connect-src 'self';";
+ $directives['img-src'] = "img-src 'self' data: " . $assetUrl . ";";
+ $directives['object-src'] = "object-src 'none';";
+
+ $csp = implode(' ', $directives);
+
+ return $next($request)->withHeaders([
+ 'Content-Security-Policy' => $csp,
+ ]);
+ }
return $next($request);
}
diff --git a/config/2fauth.php b/config/2fauth.php
index 5b1a3347..38700c41 100644
--- a/config/2fauth.php
+++ b/config/2fauth.php
@@ -31,7 +31,7 @@
'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
- 'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
+ 'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
],
/*
diff --git a/resources/views/landing.blade.php b/resources/views/landing.blade.php
index be516c0b..693d3ef4 100644
--- a/resources/views/landing.blade.php
+++ b/resources/views/landing.blade.php
@@ -15,7 +15,7 @@
-
+