bookstack/app/Http/Middleware/ApplyCspRules.php

<?php

namespace BookStack\Http\Middleware;

use BookStack\Util\CspService;
use Closure;
use Illuminate\Http\Request;

class ApplyCspRules
{
    /**
     * @var CspService
     */
    protected $cspService;

    public function __construct(CspService $cspService)
    {
        $this->cspService = $cspService;
    }

    /**
     * Handle an incoming request.
     *
     * @param Request $request
     * @param Closure $next
     *
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        view()->share('cspNonce', $this->cspService->getNonce());
        if ($this->cspService->allowedIFrameHostsConfigured()) {
            config()->set('session.same_site', 'none');
        }

        $response = $next($request);

        $this->cspService->setFrameAncestors($response);
        $this->cspService->setScriptSrc($response);
        $this->cspService->setObjectSrc($response);
        $this->cspService->setBaseUri($response);

        return $response;
    }
}
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`<?php`

			`namespace BookStack\Http\Middleware;`

Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`use BookStack\Util\CspService;`
Started application of CSP headers 2021-09-04 06:32:42 +08:00			`use Closure;`
			`use Illuminate\Http\Request;`

			`class ApplyCspRules`
			`{`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`/**`
			`* @var CspService`
			`*/`
			`protected $cspService;`

			`public function __construct(CspService $cspService)`
			`{`
			`$this->cspService = $cspService;`
			`}`

Started application of CSP headers 2021-09-04 06:32:42 +08:00			`/**`
			`* Handle an incoming request.`
			`*`
			`* @param Request $request`
			`* @param Closure $next`
			`*`
			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`view()->share('cspNonce', $this->cspService->getNonce());`
			`if ($this->cspService->allowedIFrameHostsConfigured()) {`
			`config()->set('session.same_site', 'none');`
			`}`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`$response = $next($request);`

Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 20:57:04 +08:00			`$this->cspService->setFrameAncestors($response);`
			`$this->cspService->setScriptSrc($response);`
Added a couple of additional CSP rules As per guidance from google's CSP evaluator. 2021-09-04 21:34:43 +08:00			`$this->cspService->setObjectSrc($response);`
			`$this->cspService->setBaseUri($response);`
Started application of CSP headers 2021-09-04 06:32:42 +08:00
			`return $response;`
			`}`
			`}`