BookStack/app/Http/Middleware/ControlIframeSecurity.php

<?php

namespace BookStack\Http\Middleware;

use Closure;

/**
 * Sets CSP headers to restrict the hosts that BookStack can be
 * iframed within. Also adjusts the cookie samesite options
 * so that cookies will operate in the third-party context.
 */
class ControlIframeSecurity
{
    /**
     * Handle an incoming request.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Closure                 $next
     *
     * @return mixed
     */
    public function handle($request, Closure $next)
    {
        $iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();
        if ($iframeHosts->count() > 0) {
            config()->set('session.same_site', 'none');
        }

        $iframeHosts->prepend("'self'");

        $response = $next($request);
        $cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');
        $response->headers->set('Content-Security-Policy', $cspValue);

        return $response;
    }
}
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`<?php`

			`namespace BookStack\Http\Middleware;`

			`use Closure;`

			`/**`
			`* Sets CSP headers to restrict the hosts that BookStack can be`
			`* iframed within. Also adjusts the cookie samesite options`
			`* so that cookies will operate in the third-party context.`
			`*/`
			`class ControlIframeSecurity`
			`{`
			`/**`
			`* Handle an incoming request.`
			`*`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00			`* @param \Illuminate\Http\Request $request`
			`* @param \Closure $next`
			`*`
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`* @return mixed`
			`*/`
			`public function handle($request, Closure $next)`
			`{`
			`$iframeHosts = collect(explode(' ', config('app.iframe_hosts', '')))->filter();`
			`if ($iframeHosts->count() > 0) {`
			`config()->set('session.same_site', 'none');`
			`}`

			`$iframeHosts->prepend("'self'");`

			`$response = $next($request);`
			`$cspValue = 'frame-ancestors ' . $iframeHosts->join(' ');`
			`$response->headers->set('Content-Security-Policy', $cspValue);`
Apply fixes from StyleCI 2021-06-26 11:23:15 -04:00
Added iframe CSP, improved session cookie security Added iframe CSP headers with configuration via .env. Updated session cookies to be lax by default, dynamically changing to none when iframes configured to allow third-party control. Updated cookie security to be auto-secure if a https APP_URL is set. Related to #2427 and #2207. 2021-01-01 21:43:50 -05:00			`return $response;`
			`}`
			`}`