X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/253f386f006eb0bcdf1151008b75213e96c4edf9..refs/pull/3247/head:/app/Util/CspService.php

diff --git a/app/Util/CspService.php b/app/Util/CspService.php
index 2728aae44..812e1a4be 100644
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@@ -12,7 +12,7 @@ class CspService
 
     public function __construct(string $nonce = '')
     {
-        $this->nonce = $nonce ?: Str::random(16);
+        $this->nonce = $nonce ?: Str::random(24);
     }
 
     /**
@@ -34,9 +34,12 @@ class CspService
         }
 
         $parts = [
+            'http:',
+            'https:',
             '\'nonce-' . $this->nonce . '\'',
             '\'strict-dynamic\'',
         ];
+
         $value = 'script-src ' . implode(' ', $parts);
         $response->headers->set('Content-Security-Policy', $value, false);
     }
@@ -62,11 +65,32 @@ class CspService
         return count($this->getAllowedIframeHosts()) > 0;
     }
 
+    /**
+     * Sets CSP 'object-src' headers to restrict the types of dynamic content
+     * that can be embedded on the page.
+     */
+    public function setObjectSrc(Response $response)
+    {
+        if (config('app.allow_content_scripts')) {
+            return;
+        }
+
+        $response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
+    }
+
+    /**
+     * Sets CSP 'base-uri' headers to restrict what base tags can be set on
+     * the page to prevent manipulation of relative links.
+     */
+    public function setBaseUri(Response $response)
+    {
+        $response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
+    }
 
     protected function getAllowedIframeHosts(): array
     {
         $hosts = config('app.iframe_hosts', '');
+
         return array_filter(explode(' ', $hosts));
     }
-
-}
\ No newline at end of file
+}