Improved settings of CSPs.

Added manifest.json. Added further security-related HTTP headers.
2018-06-18 13:57:35 +02:00
parent 1acdc7ba2b
commit 067beedf29
12 changed files with 165 additions and 34 deletions
--- a/inc/functions.php
+++ b/inc/functions.php
@ -74,19 +74,28 @@ function ensureEnvironment() {
            "logo"                  => "",
            "url"                   => "",
            "css"                   => "default",
-            "hideInstitution"       => 0,
+            "defaultLang"           => "en",
            "cacheRefreshInterval"  => 0,
            "mdVersion"             => "https://rlp.museum-digital.de/",
            "mdImgFolder"           => "https://rlp.museum-digital.de/data/rlp/",
+            "hideInstitution"       => 0,
            "limitToInstitutions"   => [],
+            "sendHTTPHeaders"       => 1,
+            "CSPimageSources"       => "",
+            "CSPobjectSources"      => "",
            "maxFileSize"           => 300000,
-            "defaultLang"           => "en"
        ],
        json_decode(file_get_contents(__DIR__ . "/../data/settings.json"), true)
    );

    $GLOBALS['settings'] = $settings;

+    if ($settings['sendHTTPHeaders']) {
+        header('X-Content-Type-Options: nosniff');
+        header('X-XSS-Protection: 1; mode=block');
+        header('Strict-Transport-Security: max-age=31536000; preload');
+        header('Referrer-Policy: strict-origin');
+    }

 }

--- a/inc/standardHTML.php
+++ b/inc/standardHTML.php
@ -25,11 +25,18 @@ function printPublicHead(array $settings, string $page = "home", string $title =
 <head>

    <!-- Content Security policies -->
-    <meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\' ' . $settings['mdVersion'] . '; img-src \'self\' ' . $settings['mdVersion'] . '; style-src \'self\' \'unsafe-inline\'; font-src \'self\';" />
+    <meta http-equiv="Content-Security-Policy" content="default-src \'none\'; script-src \'self\'; connect-src \'self\' ' . $settings['mdVersion'] . '; img-src \'self\' ' . $settings['mdVersion'];
+    if ($settings['CSPimageSources']) $output .= " " . $settings['CSPimageSources']; // Allow embedding of whitelisted images.
+    $output .= '; style-src \'self\' \'unsafe-inline\'; font-src \'self\'; frame-src \'self\'';
+    if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
+    $output .= '; object-src \'self\'';
+    if ($settings['CSPobjectSources']) $output .= " " . $settings['CSPobjectSources']; // Allow embedding of whitelisted frame contents / objects.
+    $output .= '; frame-ancestors \'self\'; base-uri \'none\'; form-action \'self\';" />

 	<title>' . $title . '</title>
-    <link rel="stylesheet" type="text/css" href="themes/' . $settings['css'] . '/theme.css" />
    <link rel="stylesheet" type="text/css" href="themes/imports.css" />
+    <link rel="stylesheet" type="text/css" href="themes/' . $settings['css'] . '/theme.css" />
+    <link rel="manifest" href="./manifest.php">
    <meta http-equiv="content-type" content="text/html;charset=utf-8" />';

    $output .= $additional;