2021-09-04 12:57:04 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace BookStack\Util;
|
|
|
|
|
|
|
|
|
|
use Illuminate\Support\Str;
|
|
|
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
|
|
|
|
|
|
|
|
class CspService
|
|
|
|
|
{
|
|
|
|
|
/** @var string */
|
|
|
|
|
protected $nonce;
|
|
|
|
|
|
|
|
|
|
public function __construct(string $nonce = '')
|
|
|
|
|
{
|
2021-09-12 15:19:17 +00:00
|
|
|
$this->nonce = $nonce ?: Str::random(24);
|
2021-09-04 12:57:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the nonce value for CSP.
|
|
|
|
|
*/
|
|
|
|
|
public function getNonce(): string
|
|
|
|
|
{
|
|
|
|
|
return $this->nonce;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sets CSP 'script-src' headers to restrict the forms of script that can
|
|
|
|
|
* run on the page.
|
|
|
|
|
*/
|
|
|
|
|
public function setScriptSrc(Response $response)
|
|
|
|
|
{
|
|
|
|
|
if (config('app.allow_content_scripts')) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$parts = [
|
2021-09-04 13:34:43 +00:00
|
|
|
'http:',
|
|
|
|
|
'https:',
|
2021-09-04 12:57:04 +00:00
|
|
|
'\'nonce-' . $this->nonce . '\'',
|
|
|
|
|
'\'strict-dynamic\'',
|
|
|
|
|
];
|
2021-09-04 13:34:43 +00:00
|
|
|
|
2021-09-04 12:57:04 +00:00
|
|
|
$value = 'script-src ' . implode(' ', $parts);
|
|
|
|
|
$response->headers->set('Content-Security-Policy', $value, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sets CSP "frame-ancestors" headers to restrict the hosts that BookStack can be
|
|
|
|
|
* iframed within. Also adjusts the cookie samesite options so that cookies will
|
|
|
|
|
* operate in the third-party context.
|
|
|
|
|
*/
|
|
|
|
|
public function setFrameAncestors(Response $response)
|
|
|
|
|
{
|
|
|
|
|
$iframeHosts = $this->getAllowedIframeHosts();
|
|
|
|
|
array_unshift($iframeHosts, "'self'");
|
|
|
|
|
$cspValue = 'frame-ancestors ' . implode(' ', $iframeHosts);
|
|
|
|
|
$response->headers->set('Content-Security-Policy', $cspValue, false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Check if the user has configured some allowed iframe hosts.
|
|
|
|
|
*/
|
|
|
|
|
public function allowedIFrameHostsConfigured(): bool
|
|
|
|
|
{
|
|
|
|
|
return count($this->getAllowedIframeHosts()) > 0;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-04 13:34:43 +00:00
|
|
|
/**
|
|
|
|
|
* Sets CSP 'object-src' headers to restrict the types of dynamic content
|
|
|
|
|
* that can be embedded on the page.
|
|
|
|
|
*/
|
|
|
|
|
public function setObjectSrc(Response $response)
|
|
|
|
|
{
|
|
|
|
|
if (config('app.allow_content_scripts')) {
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Sets CSP 'base-uri' headers to restrict what base tags can be set on
|
|
|
|
|
* the page to prevent manipulation of relative links.
|
|
|
|
|
*/
|
|
|
|
|
public function setBaseUri(Response $response)
|
|
|
|
|
{
|
|
|
|
|
$response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
|
|
|
|
|
}
|
2021-09-04 12:57:04 +00:00
|
|
|
|
|
|
|
|
protected function getAllowedIframeHosts(): array
|
|
|
|
|
{
|
|
|
|
|
$hosts = config('app.iframe_hosts', '');
|
2021-09-06 21:19:06 +00:00
|
|
|
|
2021-09-04 12:57:04 +00:00
|
|
|
return array_filter(explode(' ', $hosts));
|
|
|
|
|
}
|
2021-09-06 21:19:06 +00:00
|
|
|
}
|
