diff --git a/CHANGELOG.md b/CHANGELOG.md index f0fd5956bf..86ed82def9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ HumHub Changelog - Fix #7248: Upgrade jQuery Highlight plugin - Fix #7254: Fix Login view HTML element ID from `user-auth-login-modal` to `user-auth-login` - Fix #7250: Check writable path +- Enh #7255: Improved CSP headers - Enh #7253: CSV/XLSX export improvements - Enh #7252: Show "Powered by HumHub" even if no entries in the Footer menu - Enh #7257: Move "About" into Space Control Menu diff --git a/protected/humhub/config/web.php b/protected/humhub/config/web.php index 5448c9f3d4..c81d4da8f7 100644 --- a/protected/humhub/config/web.php +++ b/protected/humhub/config/web.php @@ -55,12 +55,11 @@ $config = [ 'security' => [ "headers" => [ "Strict-Transport-Security" => "max-age=31536000", - "X-XSS-Protection" => "1; mode=block", "X-Content-Type-Options" => "nosniff", "Referrer-Policy" => "no-referrer-when-downgrade", "X-Permitted-Cross-Domain-Policies" => "master-only", "X-Frame-Options" => "sameorigin", - "Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src {{ nonce }} 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline';", + "Content-Security-Policy" => "default-src *; connect-src *; font-src 'self'; frame-src https://* http://* *; img-src https://* http://* * data:; object-src 'self'; script-src {{ nonce }} 'self' https://* http://* * 'unsafe-inline' 'report-sample'; style-src * https://* http://* * 'unsafe-inline'; block-all-mixed-content;", ], 'csp' => [ 'nonce' => true, diff --git a/protected/humhub/modules/web/security/helpers/CSPBuilder.php b/protected/humhub/modules/web/security/helpers/CSPBuilder.php index 1061bfe873..e1b309b4b2 100644 --- a/protected/humhub/modules/web/security/helpers/CSPBuilder.php +++ b/protected/humhub/modules/web/security/helpers/CSPBuilder.php @@ -881,9 +881,6 @@ class CSPBuilder // If we're supporting legacy devices, include these too: if ($legacy) { - $return [] = $this->reportOnly - ? 'X-Content-Security-Policy-Report-Only' - : 'X-Content-Security-Policy'; $return [] = $this->reportOnly ? 'X-Webkit-CSP-Report-Only' : 'X-Webkit-CSP'; diff --git a/protected/humhub/modules/web/security/models/SecuritySettings.php b/protected/humhub/modules/web/security/models/SecuritySettings.php index f357df0bdb..60342aef88 100644 --- a/protected/humhub/modules/web/security/models/SecuritySettings.php +++ b/protected/humhub/modules/web/security/models/SecuritySettings.php @@ -3,14 +3,12 @@ namespace humhub\modules\web\security\models; use Exception; -use humhub\modules\web\security\helpers\Security; -use Yii; -use yii\base\InvalidConfigException; -use yii\base\Model; -use yii\helpers\Json; -use yii\helpers\Url; use humhub\modules\web\security\helpers\CSPBuilder; +use humhub\modules\web\security\helpers\Security; use humhub\modules\web\security\Module; +use Yii; +use yii\base\Model; +use yii\helpers\Url; /** * The SecuritySettings are used to load and parse a security config file. @@ -36,12 +34,8 @@ use humhub\modules\web\security\Module; class SecuritySettings extends Model { public const HEADER_CONTENT_SECRUITY_POLICY = 'Content-Security-Policy'; - public const HEADER_CONTENT_SECRUITY_POLICY_IE = 'X-Content-Security-Policy'; public const HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY = 'Content-Security-Policy-Report-Only'; - public const HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE = 'X-Content-Security-Policy-Report-Only'; - public const HEADER_X_CONTENT_TYPE = 'X-Content-Type-Options'; - public const HEADER_X_XSS_PROTECTION = 'X-XSS-Protection'; public const HEADER_STRICT_TRANSPORT_SECURITY = 'Strict-Transport-Security'; public const HEADER_X_FRAME_OPTIONS = 'X-Frame-Options'; @@ -149,10 +143,10 @@ class SecuritySettings extends Model { // If the `csp section is set to report-only` if ($this->isReportOnlyCSP()) { - return [static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY, static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE]; + return [static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY]; } - return [static::HEADER_CONTENT_SECRUITY_POLICY, static::HEADER_CONTENT_SECRUITY_POLICY_IE]; + return [static::HEADER_CONTENT_SECRUITY_POLICY]; } /** @@ -254,9 +248,7 @@ class SecuritySettings extends Model { return in_array($header, [ static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY, - static::HEADER_CONTENT_SECRUITY_POLICY_REPORT_ONLY_IE, - static::HEADER_CONTENT_SECRUITY_POLICY, - static::HEADER_CONTENT_SECRUITY_POLICY_IE], true); + static::HEADER_CONTENT_SECRUITY_POLICY], true); } /** diff --git a/protected/humhub/modules/web/tests/codeception/unit/security/SecuritySettingsTest.php b/protected/humhub/modules/web/tests/codeception/unit/security/SecuritySettingsTest.php index f28d8b7ca9..87c58d8a33 100644 --- a/protected/humhub/modules/web/tests/codeception/unit/security/SecuritySettingsTest.php +++ b/protected/humhub/modules/web/tests/codeception/unit/security/SecuritySettingsTest.php @@ -2,13 +2,10 @@ namespace tests\codeception\unit\modules\web\security; -use web\WebSecurityTest; -use Yii; use humhub\libs\Html; -use humhub\modules\web\Module; use humhub\modules\web\security\helpers\Security; use humhub\modules\web\security\models\SecuritySettings; -use yii\helpers\Json; +use web\WebSecurityTest; class SecuritySettingsTest extends WebSecurityTest { @@ -17,7 +14,6 @@ class SecuritySettingsTest extends WebSecurityTest $this->setConfigFile('security.default.json'); $settings = new SecuritySettings(); $this->assertEquals('max-age=31536000', $settings->getHeader('Strict-Transport-Security')); - $this->assertEquals('1', $settings->getHeader('X-XSS-Protection')); $this->assertEquals('nosniff', $settings->getHeader('X-Content-Type-Options')); $this->assertNull($settings->getHeader('X-Frame-Options')); $this->assertFalse($settings->isNonceSupportActive()); @@ -28,7 +24,6 @@ class SecuritySettingsTest extends WebSecurityTest $this->setConfigFile('security.strict.json'); $settings = new SecuritySettings(); $this->assertEquals('max-age=31536000', $settings->getHeader('Strict-Transport-Security')); - $this->assertEquals('1; mode=block', $settings->getHeader('X-XSS-Protection')); $this->assertEquals('nosniff', $settings->getHeader('X-Content-Type-Options')); $this->assertEquals('deny', $settings->getHeader('X-Frame-Options')); } diff --git a/protected/humhub/modules/web/tests/codeception/unit/security/SecurityTest.php b/protected/humhub/modules/web/tests/codeception/unit/security/SecurityTest.php index 171299f928..133a30976b 100644 --- a/protected/humhub/modules/web/tests/codeception/unit/security/SecurityTest.php +++ b/protected/humhub/modules/web/tests/codeception/unit/security/SecurityTest.php @@ -2,11 +2,11 @@ namespace tests\codeception\unit\modules\web\security; -use web\WebSecurityTest; -use Yii; use humhub\libs\Html; use humhub\modules\web\security\helpers\Security; use humhub\modules\web\security\models\SecuritySettings; +use web\WebSecurityTest; +use Yii; class SecurityTest extends WebSecurityTest { @@ -33,7 +33,6 @@ class SecurityTest extends WebSecurityTest $this->assertStringContainsString(Security::getNonce(), Yii::$app->response->headers->get(SecuritySettings::HEADER_CONTENT_SECRUITY_POLICY)); $this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_STRICT_TRANSPORT_SECURITY), 'max-age=31536000'); - $this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_XSS_PROTECTION), '1; mode=block'); $this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_CONTENT_TYPE), 'nosniff'); $this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_X_FRAME_OPTIONS), 'deny'); $this->assertEquals(Yii::$app->response->headers->get(SecuritySettings::HEADER_REFERRER_POLICY), 'no-referrer-when-downgrade'); diff --git a/protected/humhub/tests/config/common.php b/protected/humhub/tests/config/common.php index 021e71b021..78b614bdfd 100644 --- a/protected/humhub/tests/config/common.php +++ b/protected/humhub/tests/config/common.php @@ -36,7 +36,6 @@ return [ 'security' => [ "headers" => [ "Strict-Transport-Security" => "max-age=31536000", - "X-XSS-Protection" => "1; mode=block", "X-Content-Type-Options" => "nosniff", "X-Frame-Options" => "deny", "Referrer-Policy" => "no-referrer-when-downgrade",