mirror_php/humhub
1
0
Fork 0
mirror of https://github.com/humhub/humhub.git synced 2025-01-16 21:58:17 +01:00
Code Issues Projects Releases Wiki Activity

Improved CSP headers (#7255)

Browse Source 
* Improved CSP headers

* Improved CSP headers

* Improved CSP headers

---------

Co-authored-by: Lucas Bartholemy <luke-@users.noreply.github.com>
This commit is contained in:
Gevorg Mansuryan 2024-10-16 14:28:04 +04:00 committed by GitHub
parent 6c8990e01c
commit e07ea48921
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 12 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -47,6 +47,7 @@ HumHub Changelog
- Fix #7248: Upgrade jQuery Highlight plugin
- Fix #7254: Fix Login view HTML element ID from `user-auth-login-modal` to `user-auth-login`
- Fix #7250: Check writable path
- Enh #7255: Improved CSP headers
- Enh #7253: CSV/XLSX export improvements
- Enh #7252: Show "Powered by HumHub" even if no entries in the Footer menu
- Enh #7257: Move "About" into Space Control Menu

3
protected/humhub/config/web.php
View File

@ -55,12 +55,11 @@ $config = [
'security' => [
"headers" => [
"Strict-Transport-Security" => "max-age=31536000",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"Referrer-Policy" => "no-referrer-when-downgrade",
"X-Permitted-Cross-Domain-Policies" => "master-only",
"X-Frame-Options" => "sameorigin",
"Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src {{ nonce }} 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';",
"Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src {{ nonce }} 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline'; block-all-mixed-content;",
],
'csp' => [
'nonce' => true,

3
protected/humhub/modules/web/security/helpers/CSPBuilder.php
View File

@ -881,9 +881,6 @@ class CSPBuilder
// If we're supporting legacy devices, include these too:
if ($legacy) {
$return [] = $this->reportOnly
? 'X-Content-Security-Policy-Report-Only'
: 'X-Content-Security-Policy';
$return [] = $this->reportOnly
? 'X-Webkit-CSP-Report-Only'
: 'X-Webkit-CSP';

22
protected/humhub/modules/web/security/models/SecuritySettings.php
View File

@ -3,14 +3,12 @@
namespace humhub\modules\web\security\models;
use Exception;
use humhub\modules\web\security\helpers\Security;
use Yii;
use yii\base\InvalidConfigException;
use yii\base\Model;
use yii\helpers\Json;
use yii\helpers\Url;
use humhub\modules\web\security\helpers\CSPBuilder;
use humhub\modules\web\security\helpers\Security;
use humhub\modules\web\security\Module;
use Yii;
use yii\base\Model;
use yii\helpers\Url;
/**
* The SecuritySettings are used to load and parse a security config file.
@ -36,12 +34,8 @@ use humhub\modules\web\security\Module;
class SecuritySettings extends Model
{
public const HEADER_CONTENT_SECRUITY_POLICY = 'Content-Security-Policy';
public const HEADER_CONTENT_SECRUITY_POLICY_IE = 'X-Content-Security-Policy';
public const HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY = 'Content-Security-Policy-Report-Only';
public const HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE = 'X-Content-Security-Policy-Report-Only';
public const HEADER_X_CONTENT_TYPE = 'X-Content-Type-Options';
public const HEADER_X_XSS_PROTECTION = 'X-XSS-Protection';
public const HEADER_STRICT_TRANSPORT_SECURITY = 'Strict-Transport-Security';
public const HEADER_X_FRAME_OPTIONS = 'X-Frame-Options';
@ -149,10 +143,10 @@ class SecuritySettings extends Model
{
// If the `csp section is set to report-only`
if ($this->isReportOnlyCSP()) {
return [static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY, static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE];
return [static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY];
}
return [static::HEADER_CONTENT_SECRUITY_POLICY, static::HEADER_CONTENT_SECRUITY_POLICY_IE];
return [static::HEADER_CONTENT_SECRUITY_POLICY];
}
/**
@ -254,9 +248,7 @@ class SecuritySettings extends Model
{
return in_array($header, [
static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY,
static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE,
static::HEADER_CONTENT_SECRUITY_POLICY,
static::HEADER_CONTENT_SECRUITY_POLICY_IE], true);
static::HEADER_CONTENT_SECRUITY_POLICY], true);
}
/**

7
protected/humhub/modules/web/tests/codeception/unit/security/SecuritySettingsTest.php
View File

@ -2,13 +2,10 @@
namespace tests\codeception\unit\modules\web\security;
use web\WebSecurityTest;
use Yii;
use humhub\libs\Html;
use humhub\modules\web\Module;
use humhub\modules\web\security\helpers\Security;
use humhub\modules\web\security\models\SecuritySettings;
use yii\helpers\Json;
use web\WebSecurityTest;
class SecuritySettingsTest extends WebSecurityTest
{
@ -17,7 +14,6 @@ class SecuritySettingsTest extends WebSecurityTest
$this->setConfigFile('security.default.json');
$settings = new SecuritySettings();
$this->assertEquals('max-age=31536000', $settings->getHeader('Strict-Transport-Security'));
$this->assertEquals('1', $settings->getHeader('X-XSS-Protection'));
$this->assertEquals('nosniff', $settings->getHeader('X-Content-Type-Options'));
$this->assertNull($settings->getHeader('X-Frame-Options'));
$this->assertFalse($settings->isNonceSupportActive());
@ -28,7 +24,6 @@ class SecuritySettingsTest extends WebSecurityTest
$this->setConfigFile('security.strict.json');
$settings = new SecuritySettings();
$this->assertEquals('max-age=31536000', $settings->getHeader('Strict-Transport-Security'));
$this->assertEquals('1; mode=block', $settings->getHeader('X-XSS-Protection'));
$this->assertEquals('nosniff', $settings->getHeader('X-Content-Type-Options'));
$this->assertEquals('deny', $settings->getHeader('X-Frame-Options'));
}

5
protected/humhub/modules/web/tests/codeception/unit/security/SecurityTest.php
View File

@ -2,11 +2,11 @@
namespace tests\codeception\unit\modules\web\security;
use web\WebSecurityTest;
use Yii;
use humhub\libs\Html;
use humhub\modules\web\security\helpers\Security;
use humhub\modules\web\security\models\SecuritySettings;
use web\WebSecurityTest;
use Yii;
class SecurityTest extends WebSecurityTest
{
@ -33,7 +33,6 @@ class SecurityTest extends WebSecurityTest
$this->assertStringContainsString(Security::getNonce(), Yii::$app->response->headers->get(SecuritySettings::HEADER_CONTENT_SECRUITY_POLICY));
$this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_STRICT_TRANSPORT_SECURITY), 'max-age=31536000');
$this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_XSS_PROTECTION), '1; mode=block');
$this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_CONTENT_TYPE), 'nosniff');
$this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_FRAME_OPTIONS), 'deny');
$this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_REFERRER_POLICY), 'no-referrer-when-downgrade');

1
protected/humhub/tests/config/common.php
View File

@ -36,7 +36,6 @@ return [
'security' => [
"headers" => [
"Strict-Transport-Security" => "max-age=31536000",
"X-XSS-Protection" => "1; mode=block",
"X-Content-Type-Options" => "nosniff",
"X-Frame-Options" => "deny",
"Referrer-Policy" => "no-referrer-when-downgrade",