BookStack/app/Util/CspService.php

<?php

namespace BookStack\Util;

use Illuminate\Support\Str;
use Symfony\Component\HttpFoundation\Response;

class CspService
{
    /** @var string */
    protected $nonce;

    public function __construct(string $nonce = '')
    {
        $this->nonce = $nonce ?: Str::random(16);
    }

    /**
     * Get the nonce value for CSP.
     */
    public function getNonce(): string
    {
        return $this->nonce;
    }

    /**
     * Sets CSP 'script-src' headers to restrict the forms of script that can
     * run on the page.
     */
    public function setScriptSrc(Response $response)
    {
        if (config('app.allow_content_scripts')) {
            return;
        }

        $parts = [
            '\'nonce-' . $this->nonce . '\'',
            '\'strict-dynamic\'',
        ];
        $value = 'script-src ' . implode(' ', $parts);
        $response->headers->set('Content-Security-Policy', $value, false);
    }

    /**
     * Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be
     * iframed within. Also adjusts the cookie samesite options so that cookies will
     * operate in the third-party context.
     */
    public function setFrameAncestors(Response $response)
    {
        $iframeHosts = $this->getAllowedIframeHosts();
        array_unshift($iframeHosts, "'self'");
        $cspValue = 'frame-ancestors ' . implode(' ', $iframeHosts);
        $response->headers->set('Content-Security-Policy', $cspValue, false);
    }

    /**
     * Check if the user has configured some allowed iframe hosts.
     */
    public function allowedIFrameHostsConfigured(): bool
    {
        return count($this->getAllowedIframeHosts()) > 0;
    }


    protected function getAllowedIframeHosts(): array
    {
        $hosts = config('app.iframe_hosts', '');
        return array_filter(explode(' ', $hosts));
    }

}
Finished off script CSP rules - Added caching for custom html head parsing to add nonce. - Also moved api docs page into web routes to prevent issues. 2021-09-04 08:57:04 -04:00			`<?php`

			`namespace BookStack\Util;`

			`use Illuminate\Support\Str;`
			`use Symfony\Component\HttpFoundation\Response;`

			`class CspService`
			`{`
			`/** @var string */`
			`protected $nonce;`

			`public function __construct(string $nonce = '')`
			`{`
			`$this->nonce = $nonce ?: Str::random(16);`
			`}`

			`/**`
			`* Get the nonce value for CSP.`
			`*/`
			`public function getNonce(): string`
			`{`
			`return $this->nonce;`
			`}`

			`/**`
			`* Sets CSP 'script-src' headers to restrict the forms of script that can`
			`* run on the page.`
			`*/`
			`public function setScriptSrc(Response $response)`
			`{`
			`if (config('app.allow_content_scripts')) {`
			`return;`
			`}`

			`$parts = [`
			`'\'nonce-' . $this->nonce . '\'',`
			`'\'strict-dynamic\'',`
			`];`
			`$value = 'script-src ' . implode(' ', $parts);`
			`$response->headers->set('Content-Security-Policy', $value, false);`
			`}`

			`/**`
			`* Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be`
			`* iframed within. Also adjusts the cookie samesite options so that cookies will`
			`* operate in the third-party context.`
			`*/`
			`public function setFrameAncestors(Response $response)`
			`{`
			`$iframeHosts = $this->getAllowedIframeHosts();`
			`array_unshift($iframeHosts, "'self'");`
			`$cspValue = 'frame-ancestors ' . implode(' ', $iframeHosts);`
			`$response->headers->set('Content-Security-Policy', $cspValue, false);`
			`}`

			`/**`
			`* Check if the user has configured some allowed iframe hosts.`
			`*/`
			`public function allowedIFrameHostsConfigured(): bool`
			`{`
			`return count($this->getAllowedIframeHosts()) > 0;`
			`}`


			`protected function getAllowedIframeHosts(): array`
			`{`
			`$hosts = config('app.iframe_hosts', '');`
			`return array_filter(explode(' ', $hosts));`
			`}`

			`}`