Page MenuHomePhorge

D3167.1742049760.diff
No OneTemporary

Size
3 KB
Referenced Files
None
Subscribers
None

D3167.1742049760.diff

diff --git a/src/.env.example b/src/.env.example
--- a/src/.env.example
+++ b/src/.env.example
@@ -16,6 +16,9 @@
APP_WITH_RESELLER=1
APP_WITH_SERVICES=1
+APP_HEADER_CSP="connect-src 'self'; child-src 'self'; font-src 'self'; form-action 'self' data:; frame-ancestors 'self'; img-src blob: data: 'self' *; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-eval' 'unsafe-inline'; default-src 'self';"
+APP_HEADER_XFO=sameorigin
+
SIGNUP_LIMIT_EMAIL=0
SIGNUP_LIMIT_IP=0
diff --git a/src/app/Http/Kernel.php b/src/app/Http/Kernel.php
--- a/src/app/Http/Kernel.php
+++ b/src/app/Http/Kernel.php
@@ -22,6 +22,7 @@
\Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull::class,
\App\Http\Middleware\DevelConfig::class,
\App\Http\Middleware\Locale::class,
+ \App\Http\Middleware\ContentSecurityPolicy::class,
// FIXME: CORS handling added here, I didn't find a nice way
// to add this only to the API routes
// \App\Http\Middleware\Cors::class,
@@ -86,6 +87,7 @@
\Illuminate\Session\Middleware\AuthenticateSession::class,
\Illuminate\Routing\Middleware\SubstituteBindings::class,
\Illuminate\Auth\Middleware\Authorize::class,
+ \App\Http\Middleware\ContentSecurityPolicy::class,
];
/**
diff --git a/src/app/Http/Middleware/ContentSecurityPolicy.php b/src/app/Http/Middleware/ContentSecurityPolicy.php
new file mode 100644
--- /dev/null
+++ b/src/app/Http/Middleware/ContentSecurityPolicy.php
@@ -0,0 +1,34 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+
+class ContentSecurityPolicy
+{
+ /**
+ * Handle an incoming request.
+ *
+ * @param \Illuminate\Http\Request $request
+ * @param \Closure $next
+ *
+ * @return mixed
+ */
+ public function handle($request, Closure $next)
+ {
+ $headers = [
+ 'csp' => 'Content-Security-Policy',
+ 'xfo' => 'X-Frame-Options',
+ ];
+
+ $next = $next($request);
+
+ foreach ($headers as $opt => $header) {
+ if ($value = \config("app.headers.{$opt}")) {
+ $next->header($header, $value);
+ }
+ }
+
+ return $next;
+ }
+}
diff --git a/src/config/app.php b/src/config/app.php
--- a/src/config/app.php
+++ b/src/config/app.php
@@ -254,6 +254,11 @@
'View' => Illuminate\Support\Facades\View::class,
],
+ 'headers' => [
+ 'csp' => env('APP_HEADER_CSP', ""),
+ 'xfo' => env('APP_HEADER_XFO', ""),
+ ],
+
// Locations of knowledge base articles
'kb' => [
// An article about suspended accounts
diff --git a/src/resources/js/app.js b/src/resources/js/app.js
--- a/src/resources/js/app.js
+++ b/src/resources/js/app.js
@@ -292,7 +292,7 @@
}
},
isDegraded() {
- return store.state.authInfo.isAccountDegraded
+ return store.state.authInfo && store.state.authInfo.isAccountDegraded
},
pageName(path) {
let page = this.$route.path

File Metadata

Mime Type
text/plain
Expires
Sat, Mar 15, 3:42 PM (9 h, 36 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
11313612
Default Alt Text
D3167.1742049760.diff (3 KB)

Event Timeline