Added a couple of additional CSP rules
As per guidance from google's CSP evaluator.
This commit is contained in:
Dan Brown
parent
253f386f00
commit
492af79c27
|
|
@ -38,6 +38,8 @@ class ApplyCspRules
|
||||||
|
|
||||||
$this->cspService->setFrameAncestors($response);
|
$this->cspService->setFrameAncestors($response);
|
||||||
$this->cspService->setScriptSrc($response);
|
$this->cspService->setScriptSrc($response);
|
||||||
|
$this->cspService->setObjectSrc($response);
|
||||||
|
$this->cspService->setBaseUri($response);
|
||||||
|
|
||||||
return $response;
|
return $response;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -34,9 +34,12 @@ class CspService
|
||||||
}
|
}
|
||||||
|
|
||||||
$parts = [
|
$parts = [
|
||||||
|
'http:',
|
||||||
|
'https:',
|
||||||
'\'nonce-' . $this->nonce . '\'',
|
'\'nonce-' . $this->nonce . '\'',
|
||||||
'\'strict-dynamic\'',
|
'\'strict-dynamic\'',
|
||||||
];
|
];
|
||||||
|
|
||||||
$value = 'script-src ' . implode(' ', $parts);
|
$value = 'script-src ' . implode(' ', $parts);
|
||||||
$response->headers->set('Content-Security-Policy', $value, false);
|
$response->headers->set('Content-Security-Policy', $value, false);
|
||||||
}
|
}
|
||||||
|
|
@ -62,6 +65,27 @@ class CspService
|
||||||
return count($this->getAllowedIframeHosts()) > 0;
|
return count($this->getAllowedIframeHosts()) > 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets CSP 'object-src' headers to restrict the types of dynamic content
|
||||||
|
* that can be embedded on the page.
|
||||||
|
*/
|
||||||
|
public function setObjectSrc(Response $response)
|
||||||
|
{
|
||||||
|
if (config('app.allow_content_scripts')) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Sets CSP 'base-uri' headers to restrict what base tags can be set on
|
||||||
|
* the page to prevent manipulation of relative links.
|
||||||
|
*/
|
||||||
|
public function setBaseUri(Response $response)
|
||||||
|
{
|
||||||
|
$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
|
||||||
|
}
|
||||||
|
|
||||||
protected function getAllowedIframeHosts(): array
|
protected function getAllowedIframeHosts(): array
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
|
||||||
$this->assertNotEmpty($scriptHeader);
|
$this->assertNotEmpty($scriptHeader);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_object_src_csp_header_set()
|
||||||
|
{
|
||||||
|
$resp = $this->get('/');
|
||||||
|
$scriptHeader = $this->getCspHeader($resp, 'object-src');
|
||||||
|
$this->assertEquals('object-src \'self\'', $scriptHeader);
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_base_uri_csp_header_set()
|
||||||
|
{
|
||||||
|
$resp = $this->get('/');
|
||||||
|
$scriptHeader = $this->getCspHeader($resp, 'base-uri');
|
||||||
|
$this->assertEquals('base-uri \'self\'', $scriptHeader);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the value of the first CSP header of the given type.
|
* Get the value of the first CSP header of the given type.
|
||||||
*/
|
*/
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue