lucaspalomodevelop/core
1
0
Fork 0
mirror of https://github.com/lucaspalomodevelop/core.git synced 2026-03-15 09:04:39 +00:00
Code Issues Packages Projects Releases Wiki Activity

MVC/Content-Security-Policy settings, allow per controller overrides, see https://github.com/opnsense/core/pull/2212

Browse Source
This commit is contained in:
Ad Schellevis 2018-04-20 18:43:25 +02:00
parent e2bd521ffa
commit a8f54d2e77
1 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
src/opnsense/mvc/app/controllers/OPNsense/Base/ControllerBase.php
View File

@ -36,6 +36,11 @@ use OPNsense\Core\Config;
*/
class ControllerBase extends ControllerRoot
{
/**
* @var array Content-Security-Policy extensions, when set they will be merged with the defaults
*/
protected $content_security_policy = array();
/**
* convert xml form definition to simple data structure to use in our Volt templates
*
@ -207,7 +212,24 @@ class ControllerBase extends ControllerRoot
// append ACL object to view
$this->view->acl = new \OPNsense\Core\ACL();
$this->response->setHeader('Content-Security-Policy', "script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';");
// set security policies
$policies = array(
"default-src" => "'self'",
"img-src" => "'self'",
"script-src" => "'self' 'unsafe-inline' 'unsafe-eval'",
"style-src" => "'self' 'unsafe-inline' 'unsafe-eval'");
foreach ($this->content_security_policy as $policy_name => $policy_content) {
if (empty($policies[$policy_name])) {
$policies[$policy_name] = "";
}
$policies[$policy_name] .= " {$policy_content}";
}
$csp = "";
foreach ($policies as $policy_name => $policy) {
$csp .= $policy_name . " " . $policy . " ;";
}
$this->response->setHeader('Content-Security-Policy', $csp);
$this->response->setHeader('X-Frame-Options', "SAMEORIGIN");
$this->response->setHeader('X-Content-Type-Options', "nosniff");
$this->response->setHeader('X-XSS-Protection', "1; mode=block");