From 492af79c27f089e28c76007f93fef4995eda9d94 Mon Sep 17 00:00:00 2001
From: Dan Brown <ssddanbrown@googlemail.com>
Date: Sat, 4 Sep 2021 14:34:43 +0100
Subject: [PATCH] Added a couple of additional CSP rules

As per guidance from google's CSP evaluator.
---
 app/Http/Middleware/ApplyCspRules.php |  2 ++
 app/Util/CspService.php               | 24 ++++++++++++++++++++++++
 tests/SecurityHeaderTest.php          | 14 ++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/app/Http/Middleware/ApplyCspRules.php b/app/Http/Middleware/ApplyCspRules.php
index 4c2b1e1da..a65d12a05 100644
--- a/app/Http/Middleware/ApplyCspRules.php
+++ b/app/Http/Middleware/ApplyCspRules.php
@@ -38,6 +38,8 @@ class ApplyCspRules
 
         $this->cspService->setFrameAncestors($response);
         $this->cspService->setScriptSrc($response);
+        $this->cspService->setObjectSrc($response);
+        $this->cspService->setBaseUri($response);
 
         return $response;
     }
diff --git a/app/Util/CspService.php b/app/Util/CspService.php
index 2728aae44..2979ebc3e 100644
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@@ -34,9 +34,12 @@ class CspService
         }
 
         $parts = [
+            'http:',
+            'https:',
             '\'nonce-' . $this->nonce . '\'',
             '\'strict-dynamic\'',
         ];
+
         $value = 'script-src ' . implode(' ', $parts);
         $response->headers->set('Content-Security-Policy', $value, false);
     }
@@ -62,6 +65,27 @@ class CspService
         return count($this->getAllowedIframeHosts()) > 0;
     }
 
+    /**
+     * Sets CSP 'object-src' headers to restrict the types of dynamic content
+     * that can be embedded on the page.
+     */
+    public function setObjectSrc(Response $response)
+    {
+        if (config('app.allow_content_scripts')) {
+            return;
+        }
+
+        $response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
+    }
+
+    /**
+     * Sets CSP 'base-uri' headers to restrict what base tags can be set on
+     * the page to prevent manipulation of relative links.
+     */
+    public function setBaseUri(Response $response)
+    {
+        $response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
+    }
 
     protected function getAllowedIframeHosts(): array
     {
diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php
index 57f4ab0df..fe25ef3f0 100644
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
         $this->assertNotEmpty($scriptHeader);
     }
 
+    public function test_object_src_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'object-src');
+        $this->assertEquals('object-src \'self\'', $scriptHeader);
+    }
+
+    public function test_base_uri_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'base-uri');
+        $this->assertEquals('base-uri \'self\'', $scriptHeader);
+    }
+
     /**
      * Get the value of the first CSP header of the given type.
      */