Import CSP in manager code (#1137)

2017-03-15 22:27:58 +00:00 · 2017-03-15 22:27:58 +00:00 · 0845237efe
commit 0845237efe
parent 9b9ecee8bb
7 changed files with 25 additions and 28 deletions
--- a/_example/etc/manager-apache2.4.conf
+++ b/_example/etc/manager-apache2.4.conf
@ -37,12 +37,6 @@
    <Files *.fcgi>
        SetHandler fcgid-script
        Options +ExecCGI
-        <IfModule mod_headers.c>
-            header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
-            header set X-Content-Type-Options nosniff
-            header set X-Frame-Options DENY
-            header set X-XSS-Protection "1; mode=block"
-        </IfModule>
    </Files>

    # If you want to use mod_fastcgi, replace lines below by:
--- a/_example/etc/manager-apache2.X.conf
+++ b/_example/etc/manager-apache2.X.conf
@ -37,12 +37,6 @@
    <Files *.fcgi>
        SetHandler fcgid-script
        Options +ExecCGI
-        <IfModule mod_headers.c>
-            header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
-            header set X-Content-Type-Options nosniff
-            header set X-Frame-Options DENY
-            header set X-XSS-Protection "1; mode=block"
-        </IfModule>
    </Files>

    # If you want to use mod_fastcgi, replace lines below by:
--- a/_example/etc/manager-apache2.conf
+++ b/_example/etc/manager-apache2.conf
@ -37,12 +37,6 @@
    <Files *.fcgi>
        SetHandler fcgid-script
        Options +ExecCGI
-        <IfModule mod_headers.c>
-            header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
-            header set X-Content-Type-Options nosniff
-            header set X-Frame-Options DENY
-            header set X-XSS-Protection "1; mode=block"
-        </IfModule>
    </Files>

    # If you want to use mod_fastcgi, replace lines below by:
--- a/_example/etc/manager-nginx.conf
+++ b/_example/etc/manager-nginx.conf
@ -14,10 +14,6 @@ server {
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
    fastcgi_param PATH_INFO  $fastcgi_path_info;
-    add_header X-Content-Type-Options nosniff;
-    add_header X-XSS-Protection "1; mode=block";
-    add_header Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;";
-    add_header X-Frame-Options DENY;
    # Uncomment this if you use https only
    #add_header Strict-Transport-Security "15768000";
  }
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
@ -22,6 +22,8 @@ our $VERSION = '2.0.0';
 extends 'Lemonldap::NG::Common::Conf::AccessLib',
  'Lemonldap::NG::Handler::PSGI::Router';

+has csp => ( is => 'rw' );
+
 ## @method boolean init($args)
 # Launch initialization method
 #
@ -75,6 +77,12 @@ sub init {
    $self->addRoute( links     => 'links',  ['GET'] );
    $self->addRoute( 'psgi.js' => 'sendJs', ['GET'] );

+    my $portal = $conf->{portal};
+    $portal =~ s#htts?://([^/])*.*#$1#;
+    $self->csp(
+"default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' $portal;"
+    );
+
    $self->defaultRoute( $working[0]->defaultRoute );

    my $linksIcons =
@ -124,6 +132,17 @@ sub javascript {
      );
 }

+sub sendHtml {
+    my ( $self, $req, $template, %args ) = @_;
+    my $res = $self->SUPER::sendHtml( $req, $template, %args );
+    push @{ $res->[1] },
+      'Content-Security-Policy' => $self->csp,
+      'X-Content-Type-Options'  => 'nosniff',
+      'X-Frame-Options'         => 'DENY',
+      'X-XSS-Protection'        => '1; mode=block';
+    return $res;
+}
+
 1;
 __END__

--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm
@ -45,7 +45,7 @@ sub mkSessionArray {
    foreach my $session (@$sessions) {
        $tmp .= "<tr>";
        $tmp .= "<td>$session->{user}</td>" if ($displayUser);
-        $tmp .= qq'<td localtime="$session->{_utime}"></td>";
+        $tmp .= qq'<td localtime="$session->{_utime}"></td>';
        $tmp .= "<td>$session->{ipAddr}</td>";
        $tmp .= "<td>" . ( $session->{$_} || "" ) . "</td>"
          foreach ( keys %{ $self->{sessionDataToRemember} } );
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@ -674,7 +674,8 @@ sub _dump {

 sub sendHtml {
    my ( $self, $req, $template, %args ) = @_;
-    push @{ $req->respHeaders },
+    my $res = $self->SUPER::sendHtml( $req, $template, %args );
+    push @{ $res->[1] },
      'X-XSS-Protection'       => '1; mode=block',
      'X-Content-Type-Options' => 'nosniff';

@ -692,7 +693,7 @@ sub sendHtml {

    # Deny using portal in frame except if it is required
    unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
-        push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
+        push @{ $res->[1] }, 'X-Frame-Options' => 'DENY';
        $csp .= "frame-ancestors 'none';";
    }

@ -707,9 +708,8 @@ sub sendHtml {
    }

    # Set CSP header
-    push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
-
-    return $self->SUPER::sendHtml( $req, $template, %args );
+    push @{ $res->[1] }, 'Content-Security-Policy' => $csp;
+    return $res;
 }

 sub rebuildCookies {