2021-09-03 22:32:42 +00:00
|
|
|
<?php
|
|
|
|
|
|
|
|
|
|
namespace BookStack\Http\Middleware;
|
|
|
|
|
|
2021-09-04 12:57:04 +00:00
|
|
|
use BookStack\Util\CspService;
|
2021-09-03 22:32:42 +00:00
|
|
|
use Closure;
|
|
|
|
|
use Illuminate\Http\Request;
|
|
|
|
|
|
|
|
|
|
class ApplyCspRules
|
|
|
|
|
{
|
2022-03-07 14:27:41 +00:00
|
|
|
protected CspService $cspService;
|
2021-09-04 12:57:04 +00:00
|
|
|
|
|
|
|
|
public function __construct(CspService $cspService)
|
|
|
|
|
{
|
|
|
|
|
$this->cspService = $cspService;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-03 22:32:42 +00:00
|
|
|
/**
|
|
|
|
|
* Handle an incoming request.
|
|
|
|
|
*
|
|
|
|
|
* @param Request $request
|
|
|
|
|
* @param Closure $next
|
|
|
|
|
*
|
|
|
|
|
* @return mixed
|
|
|
|
|
*/
|
|
|
|
|
public function handle($request, Closure $next)
|
|
|
|
|
{
|
2021-09-04 12:57:04 +00:00
|
|
|
view()->share('cspNonce', $this->cspService->getNonce());
|
|
|
|
|
if ($this->cspService->allowedIFrameHostsConfigured()) {
|
|
|
|
|
config()->set('session.same_site', 'none');
|
|
|
|
|
}
|
2021-09-03 22:32:42 +00:00
|
|
|
|
|
|
|
|
$response = $next($request);
|
|
|
|
|
|
2022-03-07 14:27:41 +00:00
|
|
|
$cspHeader = $this->cspService->getCspHeader();
|
|
|
|
|
$response->headers->set('Content-Security-Policy', $cspHeader, false);
|
2021-09-03 22:32:42 +00:00
|
|
|
|
|
|
|
|
return $response;
|
|
|
|
|
}
|
|
|
|
|
}
|
