mirror of
https://github.com/EGroupware/egroupware.git
synced 2024-11-23 00:13:35 +01:00
harden login page by no longer using www.groupware.org to load social media icons
This commit is contained in:
parent
370e503dab
commit
9cc1d409eb
@ -180,18 +180,50 @@ abstract class egw_framework
|
||||
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
|
||||
}
|
||||
}
|
||||
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace());
|
||||
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_connect_src_attrs)).' '.function_backtrace());
|
||||
return implode(' ', self::$csp_connect_src_attrs);
|
||||
}
|
||||
|
||||
/**
|
||||
* Query additional CSP frame-src from current app
|
||||
* Additional attributes or urls for CSP frame-src 'self'
|
||||
*
|
||||
* @return array
|
||||
* @var array
|
||||
*/
|
||||
protected function _get_csp_frame_src()
|
||||
private static $csp_frame_src_attrs;
|
||||
|
||||
/**
|
||||
* Set/get Content-Security-Policy attributes for frame-src:
|
||||
*
|
||||
* Calling this method with an empty array sets no frame-src, but "'self'"!
|
||||
*
|
||||
* @param string|array $set =array() URL (incl. protocol!)
|
||||
* @return string with attributes eg. "'unsafe-inline'"
|
||||
*/
|
||||
public static function csp_frame_src_attrs($set=null)
|
||||
{
|
||||
return $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']);
|
||||
// set frame-src attrs of API and apps via hook
|
||||
if (!isset(self::$csp_frame_src_attrs) && !isset($set))
|
||||
{
|
||||
$frame_src = array('manual.egroupware.org', 'www.egroupware.org');
|
||||
if (($additional = $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp'])))
|
||||
{
|
||||
$frame_src = array_unique(array_merge($frame_src, $additional));
|
||||
}
|
||||
return self::csp_frame_src_attrs($frame_src);
|
||||
}
|
||||
|
||||
if (!isset(self::$csp_frame_src_attrs)) self::$csp_frame_src_attrs = array();
|
||||
|
||||
foreach((array)$set as $attr)
|
||||
{
|
||||
if (!in_array($attr, self::$csp_frame_src_attrs))
|
||||
{
|
||||
self::$csp_frame_src_attrs[] = $attr;
|
||||
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
|
||||
}
|
||||
}
|
||||
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_frame_src_attrs)).' '.function_backtrace());
|
||||
return implode(' ', self::$csp_frame_src_attrs);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -207,13 +239,10 @@ abstract class egw_framework
|
||||
// - "connect-src 'self'" allows ajax requests only to self
|
||||
// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
|
||||
// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
|
||||
$frame_src = array("'self'", 'manual.egroupware.org', 'www.egroupware.org');
|
||||
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_unique(array_merge($frame_src, $additional));
|
||||
|
||||
$csp = "script-src 'self' ".self::csp_script_src_attrs().
|
||||
"; connect-src 'self' ".self::csp_connect_src_attrs().
|
||||
"; style-src 'self' ".self::csp_style_src_attrs().
|
||||
"; frame-src ".implode(' ', $frame_src);
|
||||
"; frame-src 'self' ".self::csp_frame_src_attrs();
|
||||
|
||||
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
|
||||
header("Content-Security-Policy: $csp");
|
||||
@ -512,8 +541,7 @@ abstract class egw_framework
|
||||
*/
|
||||
function login_screen($extra_vars)
|
||||
{
|
||||
//allow to include JSONP file with social media urls from egroupware.org
|
||||
self::csp_script_src_attrs('https://www.egroupware.org');
|
||||
self::csp_frame_src_attrs(array()); // array() no external frame-sources
|
||||
|
||||
//error_log(__METHOD__."() server[template_dir]=".array2string($GLOBALS['egw_info']['server']['template_dir']).", this->template=$this->template, this->template_dir=$this->template_dir, get_class(this)=".get_class($this));
|
||||
$tmpl = new Template($GLOBALS['egw_info']['server']['template_dir']);
|
||||
|
@ -1,19 +1,19 @@
|
||||
/*
|
||||
* To change this license header, choose License Headers in Project Properties.
|
||||
* To change this template file, choose Tools | Templates
|
||||
* and open the template in the editor.
|
||||
/**
|
||||
* EGroupware login page javascript
|
||||
*
|
||||
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||
* @package etemplate
|
||||
* @subpackage api
|
||||
* @link http://www.egroupware.org
|
||||
* @version $Id$
|
||||
*/
|
||||
|
||||
|
||||
egw_LAB.wait(function() {
|
||||
$j.ajax('https://www.egroupware.org/social.js', {
|
||||
dataType: "jsonp",
|
||||
jsonp: false,
|
||||
jsonpCallback: "do_social",
|
||||
cache: true
|
||||
}).done(function(_data)
|
||||
egw_LAB.wait(function()
|
||||
{
|
||||
$j(document).ready(function()
|
||||
{
|
||||
$j(document).ready(function() {
|
||||
function do_social(_data)
|
||||
{
|
||||
var isPixelegg = $j('link[href*="pixelegg.css"]')[0];
|
||||
var social = $j(document.createElement('div'))
|
||||
.attr({
|
||||
@ -34,6 +34,12 @@ egw_LAB.wait(function() {
|
||||
.append($j(document.createElement('img'))
|
||||
.attr('src', data.svg));
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
do_social([
|
||||
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_contact.svg", "url": "https://www.egroupware.org/en/contact.html", "lang": { "de": "https://www.egroupware.org/de/kontakt.html" }},
|
||||
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_facebook.svg", "url": "https://www.facebook.com/egroupware" },
|
||||
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_twitter.svg", "url": "https://twitter.com/egroupware" }
|
||||
]);
|
||||
});
|
||||
});
|
||||
|
21
phpgwapi/templates/default/images/login_contact.svg
Normal file
21
phpgwapi/templates/default/images/login_contact.svg
Normal file
@ -0,0 +1,21 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<?xml-stylesheet type="text/css" href="../../../../pixelegg/less/svg.css" ?>
|
||||
<svg version="1.1" id="mail_navbar" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
|
||||
width="28.347px" height="28.347px" viewBox="0 0 28.347 28.347" enable-background="new 0 0 28.347 28.347" xml:space="preserve">
|
||||
<g>
|
||||
<path fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" d="M20.038,16.039c-3.507,0-5.767,2.659-5.767,5.72
|
||||
c0,2.867,2.195,4.649,4.788,4.649c1.059,0,1.942-0.163,2.812-0.595l-0.253-0.639c-0.647,0.342-1.485,0.521-2.386,0.521
|
||||
c-2.338,0-4.06-1.545-4.06-4.026c0-3.016,2.164-4.947,4.739-4.947c2.448,0,3.823,1.561,3.823,3.729
|
||||
c0,1.708-0.901,2.733-1.707,2.703c-0.521-0.015-0.711-0.534-0.473-1.663l0.537-2.689c-0.412-0.178-1.028-0.312-1.691-0.312
|
||||
c-2.196,0-3.743,1.68-3.743,3.521c0,1.174,0.789,1.871,1.706,1.871c0.947,0,1.674-0.43,2.228-1.307h0.046
|
||||
c-0.03,0.921,0.554,1.307,1.186,1.307c1.469,0,2.797-1.307,2.797-3.535C24.62,17.866,22.787,16.039,20.038,16.039z M20.67,21.061
|
||||
c-0.174,0.92-1.011,2.02-1.927,2.02c-0.695,0-1.043-0.476-1.043-1.129c0-1.44,1.121-2.674,2.512-2.674
|
||||
c0.363,0,0.632,0.06,0.79,0.119L20.67,21.061z"/>
|
||||
<polygon fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" points="22.897,4.501 22.467,2.624 2.439,7.218 2.869,9.095
|
||||
14.319,13.058 "/>
|
||||
<path fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" d="M23.185,6.551l-8.578,8.556l-11.45-3.961l2.44,9.842l7.337-1.684
|
||||
c0.902-2.904,3.611-5.013,6.812-5.013c2.052,0,3.896,0.872,5.197,2.259l0.683-0.157L23.185,6.551z"/>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 1.8 KiB |
19
phpgwapi/templates/default/images/login_facebook.svg
Normal file
19
phpgwapi/templates/default/images/login_facebook.svg
Normal file
@ -0,0 +1,19 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="facebook" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
|
||||
width="28.35px" height="28.35px" viewBox="0 0 28.35 28.35" enable-background="new 0 0 28.35 28.35" xml:space="preserve">
|
||||
<g>
|
||||
<defs>
|
||||
<rect id="SVGID_1_" x="0.003" y="0.003" width="28.344" height="28.344"/>
|
||||
</defs>
|
||||
<clipPath id="SVGID_2_">
|
||||
<use xlink:href="#SVGID_1_" overflow="visible"/>
|
||||
</clipPath>
|
||||
<path clip-path="url(#SVGID_2_)" fill="#35528F" d="M26.782,28.347c0.863,0,1.564-0.7,1.564-1.564V1.567
|
||||
c0-0.863-0.701-1.563-1.564-1.563H1.567c-0.864,0-1.564,0.7-1.564,1.563v25.216c0,0.864,0.7,1.564,1.564,1.564H26.782z"/>
|
||||
<path clip-path="url(#SVGID_2_)" fill="#FFFFFF" d="M19.56,28.347V17.371h3.684l0.553-4.278H19.56v-2.731
|
||||
c0-1.238,0.344-2.083,2.119-2.083l2.266-0.001V4.452c-0.393-0.053-1.736-0.169-3.301-0.169c-3.266,0-5.502,1.993-5.502,5.654v3.155
|
||||
h-3.693v4.278h3.693v10.976H19.56z"/>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 1.2 KiB |
24
phpgwapi/templates/default/images/login_twitter.svg
Normal file
24
phpgwapi/templates/default/images/login_twitter.svg
Normal file
@ -0,0 +1,24 @@
|
||||
<?xml version="1.0" encoding="utf-8"?>
|
||||
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
|
||||
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
||||
<svg version="1.1" id="twitter" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
|
||||
width="28.35px" height="28.35px" viewBox="0 0 28.35 28.35" enable-background="new 0 0 28.35 28.35" xml:space="preserve">
|
||||
<g>
|
||||
<defs>
|
||||
<rect id="SVGID_1_" x="0.002" y="0.003" width="28.345" height="28.344"/>
|
||||
</defs>
|
||||
<clipPath id="SVGID_2_">
|
||||
<use xlink:href="#SVGID_1_" overflow="visible"/>
|
||||
</clipPath>
|
||||
<path clip-path="url(#SVGID_2_)" fill="#6BACD9" d="M26.782,28.347c0.863,0,1.564-0.701,1.564-1.564V1.566
|
||||
c0-0.863-0.701-1.563-1.564-1.563H1.566c-0.864,0-1.564,0.7-1.564,1.563v25.216c0,0.863,0.7,1.564,1.564,1.564H26.782z"/>
|
||||
<path clip-path="url(#SVGID_2_)" fill="#FFFFFF" d="M26.041,7.459c-0.874,0.388-1.813,0.65-2.8,0.768
|
||||
c1.006-0.604,1.779-1.559,2.143-2.697c-0.941,0.559-1.984,0.965-3.096,1.183C21.4,5.764,20.132,5.173,18.73,5.173
|
||||
c-2.693,0-4.875,2.184-4.875,4.875c0,0.383,0.043,0.755,0.125,1.111C9.928,10.956,6.335,9.014,3.93,6.065
|
||||
c-0.42,0.72-0.66,1.558-0.66,2.45c0,1.692,0.861,3.185,2.169,4.06c-0.799-0.026-1.551-0.245-2.208-0.61
|
||||
C3.23,11.985,3.23,12.006,3.23,12.026c0,2.362,1.681,4.333,3.911,4.78c-0.409,0.111-0.84,0.172-1.284,0.172
|
||||
c-0.314,0-0.62-0.031-0.918-0.088c0.621,1.938,2.422,3.348,4.555,3.387c-1.669,1.307-3.771,2.088-6.055,2.088
|
||||
c-0.394,0-0.782-0.023-1.163-0.068c2.157,1.383,4.72,2.189,7.474,2.189c8.968,0,13.872-7.43,13.872-13.872
|
||||
c0-0.212-0.006-0.422-0.014-0.631C24.562,9.296,25.387,8.436,26.041,7.459"/>
|
||||
</g>
|
||||
</svg>
|
After Width: | Height: | Size: 1.7 KiB |
Loading…
Reference in New Issue
Block a user