mirror of
https://github.com/PrivateBin/PrivateBin.git
synced 2024-03-22 13:10:41 +08:00
set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
This commit is contained in:
parent
1807580226
commit
6c1f0dde0c
|
@ -9,6 +9,7 @@
|
||||||
* ADDED: Google Cloud Storage backend support (#795)
|
* ADDED: Google Cloud Storage backend support (#795)
|
||||||
* ADDED: Oracle database support (#868)
|
* ADDED: Oracle database support (#868)
|
||||||
* ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
|
* ADDED: Configuration option to limit paste creation and commenting to certain IPs (#883)
|
||||||
|
* ADDED: Set CSP also as meta tag, to deal with misconfigured webservers mangling the HTTP header
|
||||||
* CHANGED: Language selection cookie only transmitted over HTTPS (#472)
|
* CHANGED: Language selection cookie only transmitted over HTTPS (#472)
|
||||||
* CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
|
* CHANGED: Upgrading libraries to: base-x 4.0.0, bootstrap 3.4.1 (JS), DOMpurify 2.3.6, ip-lib 1.18.0, jQuery 3.6.0, random_compat 2.0.21 & Showdown 2.0.0
|
||||||
* CHANGED: Removed automatic `.ini` configuration file migration (#808)
|
* CHANGED: Removed automatic `.ini` configuration file migration (#808)
|
||||||
|
|
|
@ -364,6 +364,16 @@ class Controller
|
||||||
setcookie('lang', $languageselection, 0, '', '', true);
|
setcookie('lang', $languageselection, 0, '', '', true);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// strip policies that are unsupported in meta tag
|
||||||
|
$metacspheader = str_replace(
|
||||||
|
array(
|
||||||
|
'frame-ancestors \'none\'; ',
|
||||||
|
'; sandbox allow-same-origin allow-scripts allow-forms allow-popups allow-modals allow-downloads',
|
||||||
|
),
|
||||||
|
'',
|
||||||
|
$this->_conf->getKey('cspheader')
|
||||||
|
);
|
||||||
|
|
||||||
$page = new View;
|
$page = new View;
|
||||||
$page->assign('NAME', $this->_conf->getKey('name'));
|
$page->assign('NAME', $this->_conf->getKey('name'));
|
||||||
$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
|
$page->assign('BASEPATH', I18n::_($this->_conf->getKey('basepath')));
|
||||||
|
@ -392,6 +402,7 @@ class Controller
|
||||||
$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
|
$page->assign('HTTPWARNING', $this->_conf->getKey('httpwarning'));
|
||||||
$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
|
$page->assign('HTTPSLINK', 'https://' . $this->_request->getHost() . $this->_request->getRequestUri());
|
||||||
$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
|
$page->assign('COMPRESSION', $this->_conf->getKey('compression'));
|
||||||
|
$page->assign('CSPHEADER', $metacspheader);
|
||||||
$page->draw($this->_conf->getKey('template'));
|
$page->draw($this->_conf->getKey('template'));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -7,6 +7,7 @@ $isPage = substr($template, -5) === '-page';
|
||||||
<html lang="<?php echo I18n::_('en'); ?>">
|
<html lang="<?php echo I18n::_('en'); ?>">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="utf-8" />
|
<meta charset="utf-8" />
|
||||||
|
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
|
||||||
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
<meta http-equiv="X-UA-Compatible" content="IE=edge">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1">
|
<meta name="viewport" content="width=device-width, initial-scale=1">
|
||||||
<meta name="robots" content="noindex" />
|
<meta name="robots" content="noindex" />
|
||||||
|
|
|
@ -4,6 +4,7 @@ use PrivateBin\I18n;
|
||||||
<html lang="<?php echo I18n::_('en'); ?>">
|
<html lang="<?php echo I18n::_('en'); ?>">
|
||||||
<head>
|
<head>
|
||||||
<meta charset="utf-8" />
|
<meta charset="utf-8" />
|
||||||
|
<meta http-equiv="Content-Security-Policy" content="<?php echo I18n::encode($CSPHEADER); ?>">
|
||||||
<meta name="robots" content="noindex" />
|
<meta name="robots" content="noindex" />
|
||||||
<meta name="google" content="notranslate">
|
<meta name="google" content="notranslate">
|
||||||
<title><?php echo I18n::_($NAME); ?></title>
|
<title><?php echo I18n::_($NAME); ?></title>
|
||||||
|
|
|
@ -60,6 +60,7 @@ class ViewTest extends PHPUnit_Framework_TestCase
|
||||||
$page->assign('HTTPWARNING', true);
|
$page->assign('HTTPWARNING', true);
|
||||||
$page->assign('HTTPSLINK', 'https://example.com/');
|
$page->assign('HTTPSLINK', 'https://example.com/');
|
||||||
$page->assign('COMPRESSION', 'zlib');
|
$page->assign('COMPRESSION', 'zlib');
|
||||||
|
$page->assign('CSPHEADER', 'default-src \'none\'');
|
||||||
|
|
||||||
$dir = dir(PATH . 'tpl');
|
$dir = dir(PATH . 'tpl');
|
||||||
while (false !== ($file = $dir->read())) {
|
while (false !== ($file = $dir->read())) {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user