|
@@ -1462,12 +1462,57 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
|
|
|
// X-XSS-Protection
|
|
|
//header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
|
|
|
|
|
|
+ // Content-Security-Policy-Report-Only
|
|
|
+ if (!defined('MAIN_SECURITY_FORCECSPRO')) {
|
|
|
+ // If CSP not forced from the page
|
|
|
+
|
|
|
+ // A default security policy that keep usage of js external component like ckeditor, stripe, google, working
|
|
|
+ // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
|
|
|
+ // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
|
|
|
+ // For example, to restrict everything to itself except img that can be on other servers:
|
|
|
+ // default-src 'self'; img-src *;
|
|
|
+ // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
|
|
|
+ // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
|
|
|
+ //
|
|
|
+ // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googlapis.com *.google-analytics.com *.googletagmanager.com;";
|
|
|
+ // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googlapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
|
|
|
+ $contentsecuritypolicy = getDolGlobalString('MAIN_SECURITY_FORCECSPRO');
|
|
|
+
|
|
|
+ if (!is_object($hookmanager)) {
|
|
|
+ include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
|
|
|
+ $hookmanager = new HookManager($db);
|
|
|
+ }
|
|
|
+ $hookmanager->initHooks(array("main"));
|
|
|
+
|
|
|
+ $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'reportonly');
|
|
|
+ $result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
|
|
|
+ if ($result > 0) {
|
|
|
+ $contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
|
|
|
+ } else {
|
|
|
+ $contentsecuritypolicy .= $hookmanager->resPrint; // Concat CSP
|
|
|
+ }
|
|
|
+
|
|
|
+ if (!empty($contentsecuritypolicy)) {
|
|
|
+ header("Content-Security-Policy-Report-Only: ".$contentsecuritypolicy);
|
|
|
+ }
|
|
|
+ } else {
|
|
|
+ header("Content-Security-Policy: ".constant('MAIN_SECURITY_FORCECSPRO'));
|
|
|
+ }
|
|
|
+
|
|
|
// Content-Security-Policy
|
|
|
if (!defined('MAIN_SECURITY_FORCECSP')) {
|
|
|
// If CSP not forced from the page
|
|
|
|
|
|
// A default security policy that keep usage of js external component like ckeditor, stripe, google, working
|
|
|
- // $contentsecuritypolicy = "font-src *; img-src *; style-src * 'unsafe-inline' 'unsafe-eval'; default-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; script-src 'self' *.stripe.com 'unsafe-inline' 'unsafe-eval'; frame-src 'self' *.stripe.com; connect-src 'self';";
|
|
|
+ // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
|
|
|
+ // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
|
|
|
+ // For example, to restrict everything to itself except img that can be on other servers:
|
|
|
+ // default-src 'self'; img-src *;
|
|
|
+ // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
|
|
|
+ // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
|
|
|
+ //
|
|
|
+ // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googlapis.com *.google-analytics.com *.googletagmanager.com;";
|
|
|
+ // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googlapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
|
|
|
$contentsecuritypolicy = getDolGlobalString('MAIN_SECURITY_FORCECSP');
|
|
|
|
|
|
if (!is_object($hookmanager)) {
|
|
@@ -1476,7 +1521,7 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
|
|
|
}
|
|
|
$hookmanager->initHooks(array("main"));
|
|
|
|
|
|
- $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy);
|
|
|
+ $parameters = array('contentsecuritypolicy'=>$contentsecuritypolicy, 'mode'=>'active');
|
|
|
$result = $hookmanager->executeHooks('setContentSecurityPolicy', $parameters); // Note that $action and $object may have been modified by some hooks
|
|
|
if ($result > 0) {
|
|
|
$contentsecuritypolicy = $hookmanager->resPrint; // Replace CSP
|
|
@@ -1485,14 +1530,6 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0)
|
|
|
}
|
|
|
|
|
|
if (!empty($contentsecuritypolicy)) {
|
|
|
- // For example, to restrict 'script', 'object', 'frames' or 'img' to some domains:
|
|
|
- // script-src https://api.google.com https://anotherhost.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: https://static.example.com
|
|
|
- // For example, to restrict everything to one domain, except 'object', ...:
|
|
|
- // default-src https://cdn.example.net; object-src 'none'
|
|
|
- // For example, to restrict everything to itself except img that can be on other servers:
|
|
|
- // default-src 'self'; img-src *;
|
|
|
- // Pre-existing site that uses too much js code to fix but wants to ensure resources are loaded only over https and disable plugins:
|
|
|
- // default-src https: 'unsafe-inline' 'unsafe-eval'; object-src 'none'
|
|
|
header("Content-Security-Policy: ".$contentsecuritypolicy);
|
|
|
}
|
|
|
} else {
|