diff --git a/_example/etc/manager-apache2.4.conf b/_example/etc/manager-apache2.4.conf
index 3070e1c0b..1860e0aad 100644
--- a/_example/etc/manager-apache2.4.conf
+++ b/_example/etc/manager-apache2.4.conf
@@ -37,12 +37,6 @@
SetHandler fcgid-script
Options +ExecCGI
-
- header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
- header set X-Content-Type-Options nosniff
- header set X-Frame-Options DENY
- header set X-XSS-Protection "1; mode=block"
-
# If you want to use mod_fastcgi, replace lines below by:
diff --git a/_example/etc/manager-apache2.X.conf b/_example/etc/manager-apache2.X.conf
index 8a0f3a8a1..64df55888 100644
--- a/_example/etc/manager-apache2.X.conf
+++ b/_example/etc/manager-apache2.X.conf
@@ -37,12 +37,6 @@
SetHandler fcgid-script
Options +ExecCGI
-
- header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
- header set X-Content-Type-Options nosniff
- header set X-Frame-Options DENY
- header set X-XSS-Protection "1; mode=block"
-
# If you want to use mod_fastcgi, replace lines below by:
diff --git a/_example/etc/manager-apache2.conf b/_example/etc/manager-apache2.conf
index 6575688bd..6823f56f0 100644
--- a/_example/etc/manager-apache2.conf
+++ b/_example/etc/manager-apache2.conf
@@ -37,12 +37,6 @@
SetHandler fcgid-script
Options +ExecCGI
-
- header set Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;"
- header set X-Content-Type-Options nosniff
- header set X-Frame-Options DENY
- header set X-XSS-Protection "1; mode=block"
-
# If you want to use mod_fastcgi, replace lines below by:
diff --git a/_example/etc/manager-nginx.conf b/_example/etc/manager-nginx.conf
index fc43f0b67..d953f4dfb 100644
--- a/_example/etc/manager-nginx.conf
+++ b/_example/etc/manager-nginx.conf
@@ -14,10 +14,6 @@ server {
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
- add_header X-Content-Type-Options nosniff;
- add_header X-XSS-Protection "1; mode=block";
- add_header Content-Security-Policy "default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' auth.example.com;";
- add_header X-Frame-Options DENY;
# Uncomment this if you use https only
#add_header Strict-Transport-Security "15768000";
}
diff --git a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
index d2e1a2602..f63a13f66 100644
--- a/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
+++ b/lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm
@@ -22,6 +22,8 @@ our $VERSION = '2.0.0';
extends 'Lemonldap::NG::Common::Conf::AccessLib',
'Lemonldap::NG::Handler::PSGI::Router';
+has csp => ( is => 'rw' );
+
## @method boolean init($args)
# Launch initialization method
#
@@ -75,6 +77,12 @@ sub init {
$self->addRoute( links => 'links', ['GET'] );
$self->addRoute( 'psgi.js' => 'sendJs', ['GET'] );
+ my $portal = $conf->{portal};
+ $portal =~ s#htts?://([^/])*.*#$1#;
+ $self->csp(
+"default-src 'self';frame-ancestors 'none';form-action 'self';img-src 'self' $portal;"
+ );
+
$self->defaultRoute( $working[0]->defaultRoute );
my $linksIcons =
@@ -124,6 +132,17 @@ sub javascript {
);
}
+sub sendHtml {
+ my ( $self, $req, $template, %args ) = @_;
+ my $res = $self->SUPER::sendHtml( $req, $template, %args );
+ push @{ $res->[1] },
+ 'Content-Security-Policy' => $self->csp,
+ 'X-Content-Type-Options' => 'nosniff',
+ 'X-Frame-Options' => 'DENY',
+ 'X-XSS-Protection' => '1; mode=block';
+ return $res;
+}
+
1;
__END__
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm
index b9aae7b8b..f57aaabda 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OtherSessions.pm
@@ -45,7 +45,7 @@ sub mkSessionArray {
foreach my $session (@$sessions) {
$tmp .= "
";
$tmp .= "$session->{user} | " if ($displayUser);
- $tmp .= qq' | ";
+ $tmp .= qq' | ';
$tmp .= "$session->{ipAddr} | ";
$tmp .= "" . ( $session->{$_} || "" ) . " | "
foreach ( keys %{ $self->{sessionDataToRemember} } );
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
index b25063e66..d25b2add6 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm
@@ -674,7 +674,8 @@ sub _dump {
sub sendHtml {
my ( $self, $req, $template, %args ) = @_;
- push @{ $req->respHeaders },
+ my $res = $self->SUPER::sendHtml( $req, $template, %args );
+ push @{ $res->[1] },
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff';
@@ -692,7 +693,7 @@ sub sendHtml {
# Deny using portal in frame except if it is required
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
- push @{ $req->respHeaders }, 'X-Frame-Options' => 'DENY';
+ push @{ $res->[1] }, 'X-Frame-Options' => 'DENY';
$csp .= "frame-ancestors 'none';";
}
@@ -707,9 +708,8 @@ sub sendHtml {
}
# Set CSP header
- push @{ $req->respHeaders }, 'Content-Security-Policy' => $csp;
-
- return $self->SUPER::sendHtml( $req, $template, %args );
+ push @{ $res->[1] }, 'Content-Security-Policy' => $csp;
+ return $res;
}
sub rebuildCookies {