From 1dc8b24665bfe65ef6696468235f5698e4195899 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Fri, 16 Apr 2021 20:15:12 +0200 Subject: [PATCH 1/5] transmit cookie only over HTTPS, fixes #472 --- CHANGELOG.md | 1 + js/privatebin.js | 2 +- lib/Controller.php | 4 ++-- tpl/bootstrap.php | 2 +- tpl/page.php | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7276c84e..00f5f21c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ * **1.4 (not yet released)** * ADDED: Translation for Estonian * ADDED: new HTTP headers improving security (#765) + * CHANGED: Language selection cookie only transmitted over HTTPS (#472) * **1.3.5 (2021-04-05)** * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan * ADDED: Make the project info configurable (#681) diff --git a/js/privatebin.js b/js/privatebin.js index e549dd61..05199701 100644 --- a/js/privatebin.js +++ b/js/privatebin.js @@ -3676,7 +3676,7 @@ jQuery.PrivateBin = (function($, RawDeflate) { */ function setLanguage(event) { - document.cookie = 'lang=' + $(event.target).data('lang'); + document.cookie = 'lang=' + $(event.target).data('lang') + ';secure'; UiHelper.reloadHome(); } diff --git a/lib/Controller.php b/lib/Controller.php index bc23a52a..5b81cd89 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -170,7 +170,7 @@ class Controller // force default language, if language selection is disabled and a default is set if (!$this->_conf->getKey('languageselection') && strlen($lang) == 2) { $_COOKIE['lang'] = $lang; - setcookie('lang', $lang); + setcookie('lang', $lang, 0, '', '', true); } } @@ -367,7 +367,7 @@ class Controller $languageselection = ''; if ($this->_conf->getKey('languageselection')) { $languageselection = I18n::getLanguage(); - setcookie('lang', $languageselection); + setcookie('lang', $languageselection, 0, '', '', true); } $page = new View; diff --git a/tpl/bootstrap.php b/tpl/bootstrap.php index ffea8720..f8f94446 100644 --- a/tpl/bootstrap.php +++ b/tpl/bootstrap.php @@ -72,7 +72,7 @@ endif; ?> - + diff --git a/tpl/page.php b/tpl/page.php index e58617d1..a2272326 100644 --- a/tpl/page.php +++ b/tpl/page.php @@ -50,7 +50,7 @@ endif; ?> - + From 6f3bb25b092cf33160d1a8d2071f7ca4e5cedcaa Mon Sep 17 00:00:00 2001 From: El RIDO Date: Fri, 16 Apr 2021 20:25:50 +0200 Subject: [PATCH 2/5] disable Google FloC --- lib/Controller.php | 1 + 1 file changed, 1 insertion(+) diff --git a/lib/Controller.php b/lib/Controller.php index bc23a52a..bfa29b1d 100644 --- a/lib/Controller.php +++ b/lib/Controller.php @@ -349,6 +349,7 @@ class Controller header('Cross-Origin-Resource-Policy: same-origin'); header('Cross-Origin-Embedder-Policy: require-corp'); header('Cross-Origin-Opener-Policy: same-origin'); + header('Permissions-Policy: interest-cohort=()'); header('Referrer-Policy: no-referrer'); header('X-Content-Type-Options: nosniff'); header('X-Frame-Options: deny'); From fd7d05e8624b9a8293496ace80ed437ccd02f88d Mon Sep 17 00:00:00 2001 From: rugk Date: Fri, 16 Apr 2021 22:03:02 +0200 Subject: [PATCH 3/5] Add base URL as default CSP restriction This follows an [HTTP Observatory recommendation](https://observatory.mozilla.org/analyze/privatebin.net): > Restricts use of the tag by using base-uri 'none', base-uri 'self', or specific origins. Given we don't use that anywhere, this safe should be safe. (not tested practically though) --- cfg/conf.sample.php | 2 +- lib/Configuration.php | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/cfg/conf.sample.php b/cfg/conf.sample.php index e958c88d..570503ce 100644 --- a/cfg/conf.sample.php +++ b/cfg/conf.sample.php @@ -87,7 +87,7 @@ languageselection = false ; async functions and display an error if not and for Chrome to enable ; webassembly support (used for zlib compression). You can remove it if Chrome ; doesn't need to be supported and old browsers don't need to be warned. -; cspheader = "default-src 'none'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" +; cspheader = "default-src 'none'; base-uri 'self'; manifest-src 'self'; connect-src * blob:; script-src 'self' 'unsafe-eval' resource:; style-src 'self'; font-src 'self'; img-src 'self' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads" ; stay compatible with PrivateBin Alpha 0.19, less secure ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of diff --git a/lib/Configuration.php b/lib/Configuration.php index 2a326caf..741ab7c9 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -55,7 +55,7 @@ class Configuration 'urlshortener' => '', 'qrcode' => true, 'icon' => 'identicon', - 'cspheader' => 'default-src \'none\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', + 'cspheader' => 'default-src \'none\'; base-uri \'self\'; manifest-src \'self\'; connect-src * blob:; script-src \'self\' \'unsafe-eval\' resource:; style-src \'self\'; font-src \'self\'; img-src \'self\' data: blob:; media-src blob:; object-src blob:; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads', 'zerobincompatibility' => false, 'httpwarning' => true, 'compression' => 'zlib', @@ -265,3 +265,4 @@ class Configuration return $this->_configuration[$section]; } } + From 7b7a32c0a734b53ca2c7276410759390ea308189 Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 17 Apr 2021 08:20:08 +0200 Subject: [PATCH 4/5] apply StyleCI recommendation --- lib/Configuration.php | 1 - 1 file changed, 1 deletion(-) diff --git a/lib/Configuration.php b/lib/Configuration.php index 741ab7c9..426cd158 100644 --- a/lib/Configuration.php +++ b/lib/Configuration.php @@ -265,4 +265,3 @@ class Configuration return $this->_configuration[$section]; } } - From 5f4200c721be070162981878dff30ade1bcde89f Mon Sep 17 00:00:00 2001 From: El RIDO Date: Sat, 17 Apr 2021 08:39:35 +0200 Subject: [PATCH 5/5] document change --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 00f5f21c..b3278931 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ * **1.4 (not yet released)** * ADDED: Translation for Estonian * ADDED: new HTTP headers improving security (#765) + * ADDED: Opt-out of federated learning of cohorts (FLoC) (#776) * CHANGED: Language selection cookie only transmitted over HTTPS (#472) * **1.3.5 (2021-04-05)** * ADDED: Translation for Hebrew, Lithuanian, Indonesian and Catalan