extern/egroupware_official
1
0
Fork 0
mirror of https://github.com/EGroupware/egroupware.git synced 2024-11-16 13:03:16 +01:00
Code Issues Packages Projects Releases Wiki Activity

harden login page by no longer using www.groupware.org to load social media icons

Browse Source
This commit is contained in:
Ralf Becker 2015-02-21 13:29:32 +00:00
commit e9425499b4
5 changed files with 123 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
phpgwapi/inc/class.egw_framework.inc.php
View File

@ -180,18 +180,50 @@ abstract class egw_framework
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace()); //error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
} }
} }
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_script_src_attrs)).' '.function_backtrace()); //error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_connect_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_connect_src_attrs); return implode(' ', self::$csp_connect_src_attrs);
} }
/** /**
* Query additional CSP frame-src from current app * Additional attributes or urls for CSP frame-src 'self'
* *
* @return array * @var array
*/ */
protected function _get_csp_frame_src() private static $csp_frame_src_attrs;
/**
* Set/get Content-Security-Policy attributes for frame-src:
*
* Calling this method with an empty array sets no frame-src, but "'self'"!
*
* @param string|array $set =array() URL (incl. protocol!)
* @return string with attributes eg. "'unsafe-inline'"
*/
public static function csp_frame_src_attrs($set=null)
{ {
return $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp']); // set frame-src attrs of API and apps via hook
if (!isset(self::$csp_frame_src_attrs) && !isset($set))
{
$frame_src = array('manual.egroupware.org', 'www.egroupware.org');
if (($additional = $GLOBALS['egw']->hooks->single('csp-frame-src', $GLOBALS['egw_info']['flags']['currentapp'])))
{
$frame_src = array_unique(array_merge($frame_src, $additional));
}
return self::csp_frame_src_attrs($frame_src);
}
if (!isset(self::$csp_frame_src_attrs)) self::$csp_frame_src_attrs = array();
foreach((array)$set as $attr)
{
if (!in_array($attr, self::$csp_frame_src_attrs))
{
self::$csp_frame_src_attrs[] = $attr;
//error_log(__METHOD__."() setting CSP script-src $attr ".function_backtrace());
}
}
//error_log(__METHOD__."(".array2string($set).") returned ".array2string(implode(' ', self::$csp_frame_src_attrs)).' '.function_backtrace());
return implode(' ', self::$csp_frame_src_attrs);
} }
/** /**
@ -207,13 +239,10 @@ abstract class egw_framework
// - "connect-src 'self'" allows ajax requests only to self // - "connect-src 'self'" allows ajax requests only to self
// - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need // - "style-src 'self' 'unsave-inline'" allows only self and inline style, which we need
// - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org // - "frame-src 'self' manual.egroupware.org" allows frame and iframe content only for self or manual.egroupware.org
$frame_src = array("'self'", 'manual.egroupware.org', 'www.egroupware.org');
if (($additional = $this->_get_csp_frame_src())) $frame_src = array_unique(array_merge($frame_src, $additional));
$csp = "script-src 'self' ".self::csp_script_src_attrs(). $csp = "script-src 'self' ".self::csp_script_src_attrs().
"; connect-src 'self' ".self::csp_connect_src_attrs(). "; connect-src 'self' ".self::csp_connect_src_attrs().
"; style-src 'self' ".self::csp_style_src_attrs(). "; style-src 'self' ".self::csp_style_src_attrs().
"; frame-src ".implode(' ', $frame_src); "; frame-src 'self' ".self::csp_frame_src_attrs();
//$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything //$csp = "default-src * 'unsafe-eval' 'unsafe-inline'"; // allow everything
header("Content-Security-Policy: $csp"); header("Content-Security-Policy: $csp");
@ -512,8 +541,7 @@ abstract class egw_framework
*/ */
function login_screen($extra_vars) function login_screen($extra_vars)
{ {
//allow to include JSONP file with social media urls from egroupware.org self::csp_frame_src_attrs(array()); // array() no external frame-sources
self::csp_script_src_attrs('https://www.egroupware.org');
//error_log(__METHOD__."() server[template_dir]=".array2string($GLOBALS['egw_info']['server']['template_dir']).", this->template=$this->template, this->template_dir=$this->template_dir, get_class(this)=".get_class($this)); //error_log(__METHOD__."() server[template_dir]=".array2string($GLOBALS['egw_info']['server']['template_dir']).", this->template=$this->template, this->template_dir=$this->template_dir, get_class(this)=".get_class($this));
$tmpl = new Template($GLOBALS['egw_info']['server']['template_dir']); $tmpl = new Template($GLOBALS['egw_info']['server']['template_dir']);

34
phpgwapi/js/login.js
View File

@ -1,19 +1,19 @@
/* /**
* To change this license header, choose License Headers in Project Properties. * EGroupware login page javascript
* To change this template file, choose Tools | Templates *
* and open the template in the editor. * @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
* @package etemplate
* @subpackage api
* @link http://www.egroupware.org
* @version $Id$
*/ */
egw_LAB.wait(function()
egw_LAB.wait(function() { {
$j.ajax('https://www.egroupware.org/social.js', { $j(document).ready(function()
dataType: "jsonp",
jsonp: false,
jsonpCallback: "do_social",
cache: true
}).done(function(_data)
{ {
$j(document).ready(function() { function do_social(_data)
{
var isPixelegg = $j('link[href*="pixelegg.css"]')[0]; var isPixelegg = $j('link[href*="pixelegg.css"]')[0];
var social = $j(document.createElement('div')) var social = $j(document.createElement('div'))
.attr({ .attr({
@ -34,6 +34,12 @@ egw_LAB.wait(function() {
.append($j(document.createElement('img')) .append($j(document.createElement('img'))
.attr('src', data.svg)); .attr('src', data.svg));
} }
}); }
do_social([
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_contact.svg", "url": "https://www.egroupware.org/en/contact.html", "lang": { "de": "https://www.egroupware.org/de/kontakt.html" }},
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_facebook.svg", "url": "https://www.facebook.com/egroupware" },
{ "svg": egw_webserverUrl+"/phpgwapi/templates/default/images/login_twitter.svg", "url": "https://twitter.com/egroupware" }
]);
}); });
}); });

21
phpgwapi/templates/default/images/login_contact.svg Normal file
View File

@ -0,0 +1,21 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<?xml-stylesheet type="text/css" href="../../../../pixelegg/less/svg.css" ?>
<svg version="1.1" id="mail_navbar" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="28.347px" height="28.347px" viewBox="0 0 28.347 28.347" enable-background="new 0 0 28.347 28.347" xml:space="preserve">
<g>
<path fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" d="M20.038,16.039c-3.507,0-5.767,2.659-5.767,5.72
c0,2.867,2.195,4.649,4.788,4.649c1.059,0,1.942-0.163,2.812-0.595l-0.253-0.639c-0.647,0.342-1.485,0.521-2.386,0.521
c-2.338,0-4.06-1.545-4.06-4.026c0-3.016,2.164-4.947,4.739-4.947c2.448,0,3.823,1.561,3.823,3.729
c0,1.708-0.901,2.733-1.707,2.703c-0.521-0.015-0.711-0.534-0.473-1.663l0.537-2.689c-0.412-0.178-1.028-0.312-1.691-0.312
c-2.196,0-3.743,1.68-3.743,3.521c0,1.174,0.789,1.871,1.706,1.871c0.947,0,1.674-0.43,2.228-1.307h0.046
c-0.03,0.921,0.554,1.307,1.186,1.307c1.469,0,2.797-1.307,2.797-3.535C24.62,17.866,22.787,16.039,20.038,16.039z M20.67,21.061
c-0.174,0.92-1.011,2.02-1.927,2.02c-0.695,0-1.043-0.476-1.043-1.129c0-1.44,1.121-2.674,2.512-2.674
c0.363,0,0.632,0.06,0.79,0.119L20.67,21.061z"/>
<polygon fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" points="22.897,4.501 22.467,2.624 2.439,7.218 2.869,9.095
14.319,13.058 "/>
<path fill-rule="evenodd" clip-rule="evenodd" fill="#ECEDED" d="M23.185,6.551l-8.578,8.556l-11.45-3.961l2.44,9.842l7.337-1.684
c0.902-2.904,3.611-5.013,6.812-5.013c2.052,0,3.896,0.872,5.197,2.259l0.683-0.157L23.185,6.551z"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.8 KiB

19
phpgwapi/templates/default/images/login_facebook.svg Normal file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="facebook" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="28.35px" height="28.35px" viewBox="0 0 28.35 28.35" enable-background="new 0 0 28.35 28.35" xml:space="preserve">
<g>
<defs>
<rect id="SVGID_1_" x="0.003" y="0.003" width="28.344" height="28.344"/>
</defs>
<clipPath id="SVGID_2_">
<use xlink:href="#SVGID_1_" overflow="visible"/>
</clipPath>
<path clip-path="url(#SVGID_2_)" fill="#35528F" d="M26.782,28.347c0.863,0,1.564-0.7,1.564-1.564V1.567
c0-0.863-0.701-1.563-1.564-1.563H1.567c-0.864,0-1.564,0.7-1.564,1.563v25.216c0,0.864,0.7,1.564,1.564,1.564H26.782z"/>
<path clip-path="url(#SVGID_2_)" fill="#FFFFFF" d="M19.56,28.347V17.371h3.684l0.553-4.278H19.56v-2.731
c0-1.238,0.344-2.083,2.119-2.083l2.266-0.001V4.452c-0.393-0.053-1.736-0.169-3.301-0.169c-3.266,0-5.502,1.993-5.502,5.654v3.155
h-3.693v4.278h3.693v10.976H19.56z"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.2 KiB

24
phpgwapi/templates/default/images/login_twitter.svg Normal file
View File

@ -0,0 +1,24 @@
<?xml version="1.0" encoding="utf-8"?>
<!-- Generator: Adobe Illustrator 16.2.1, SVG Export Plug-In . SVG Version: 6.00 Build 0) -->
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" id="twitter" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
width="28.35px" height="28.35px" viewBox="0 0 28.35 28.35" enable-background="new 0 0 28.35 28.35" xml:space="preserve">
<g>
<defs>
<rect id="SVGID_1_" x="0.002" y="0.003" width="28.345" height="28.344"/>
</defs>
<clipPath id="SVGID_2_">
<use xlink:href="#SVGID_1_" overflow="visible"/>
</clipPath>
<path clip-path="url(#SVGID_2_)" fill="#6BACD9" d="M26.782,28.347c0.863,0,1.564-0.701,1.564-1.564V1.566
c0-0.863-0.701-1.563-1.564-1.563H1.566c-0.864,0-1.564,0.7-1.564,1.563v25.216c0,0.863,0.7,1.564,1.564,1.564H26.782z"/>
<path clip-path="url(#SVGID_2_)" fill="#FFFFFF" d="M26.041,7.459c-0.874,0.388-1.813,0.65-2.8,0.768
c1.006-0.604,1.779-1.559,2.143-2.697c-0.941,0.559-1.984,0.965-3.096,1.183C21.4,5.764,20.132,5.173,18.73,5.173
c-2.693,0-4.875,2.184-4.875,4.875c0,0.383,0.043,0.755,0.125,1.111C9.928,10.956,6.335,9.014,3.93,6.065
c-0.42,0.72-0.66,1.558-0.66,2.45c0,1.692,0.861,3.185,2.169,4.06c-0.799-0.026-1.551-0.245-2.208-0.61
C3.23,11.985,3.23,12.006,3.23,12.026c0,2.362,1.681,4.333,3.911,4.78c-0.409,0.111-0.84,0.172-1.284,0.172
c-0.314,0-0.62-0.031-0.918-0.088c0.621,1.938,2.422,3.348,4.555,3.387c-1.669,1.307-3.771,2.088-6.055,2.088
c-0.394,0-0.782-0.023-1.163-0.068c2.157,1.383,4.72,2.189,7.474,2.189c8.968,0,13.872-7.43,13.872-13.872
c0-0.212-0.006-0.422-0.014-0.631C24.562,9.296,25.387,8.436,26.041,7.459"/>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 1.7 KiB