set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
This commit is contained in:
parent
1807580226
commit
6c1f0dde0c
|
@ -9,6 +9,7 @@
|
|||
* ADDED: Google Cloud Storage backend support (#795)
|
||||
* ADDED: Oracle database support (#868)
|
||||
* ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
|
||||
* ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
|
||||
* CHANGED: Language selection cookie only transmitted over HTTPS (#472)
|
||||
* CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
|
||||
* CHANGED: Removed automatic `.ini` configuration file migration (#808)
|
||||
|
|
|
@ -364,6 +364,16 @@ class Controller
|
|||
setcookie('lang', $languageselection, 0, '', '', true);
|
||||
}
|
||||
|
||||
// strip policies that are unsupported in meta tag
|
||||
$metacspheader = str_replace(
|
||||
array(
|
||||
'frame-ancestors \'none\'; ',
|
||||
'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
|
||||
),
|
||||
'',
|
||||
$this->_conf->getKey('cspheader')
|
||||
);
|
||||
|
||||
$page = new View;
|
||||
$page->assign('NAME', $this->_conf->getKey('name'));
|
||||
$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
|
||||
|
@ -392,6 +402,7 @@ class Controller
|
|||
$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
|
||||
$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
|
||||
$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
|
||||
$page->assign('CSPHEADER', $metacspheader);
|
||||
$page->draw($this->_conf->getKey('template'));
|
||||
}
|
||||
|
||||
|
|
|
@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
|
|||
<html lang="<?php echo I18n::_('en'); ?>">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
|
||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||
<meta name="robots" content="noindex" />
|
||||
|
|
|
@ -4,6 +4,7 @@ use PrivateBin\I18n;
|
|||
<html lang="<?php echo I18n::_('en'); ?>">
|
||||
<head>
|
||||
<meta charset="utf-8" />
|
||||
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
|
||||
<meta name="robots" content="noindex" />
|
||||
<meta name="google" content="notranslate">
|
||||
<title><?php echo I18n::_($NAME); ?></title>
|
||||
|
|
|
@ -60,6 +60,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
|
|||
$page->assign('HTTPWARNING', true);
|
||||
$page->assign('HTTPSLINK', 'https://example.com/');
|
||||
$page->assign('COMPRESSION', 'zlib');
|
||||
$page->assign('CSPHEADER', 'default-src \'none\'');
|
||||
|
||||
$dir = dir(PATH . 'tpl');
|
||||
while (false !== ($file = $dir->read())) {
|
||||
|
|
Loading…
Reference in New Issue