$this->cspService->setFrameAncestors($response);
$this->cspService->setScriptSrc($response);
+ $this->cspService->setObjectSrc($response);
+ $this->cspService->setBaseUri($response);
return $response;
}
}
$parts = [
+ 'http:',
+ 'https:',
'\'nonce-' . $this->nonce . '\'',
'\'strict-dynamic\'',
];
+
$value = 'script-src ' . implode(' ', $parts);
$response->headers->set('Content-Security-Policy', $value, false);
}
return count($this->getAllowedIframeHosts()) > 0;
}
+ /**
+ * Sets CSP 'object-src' headers to restrict the types of dynamic content
+ * that can be embedded on the page.
+ */
+ public function setObjectSrc(Response $response)
+ {
+ if (config('app.allow_content_scripts')) {
+ return;
+ }
+
+ $response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
+ }
+
+ /**
+ * Sets CSP 'base-uri' headers to restrict what base tags can be set on
+ * the page to prevent manipulation of relative links.
+ */
+ public function setBaseUri(Response $response)
+ {
+ $response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
+ }
protected function getAllowedIframeHosts(): array
{
$this->assertNotEmpty($scriptHeader);
}
+ public function test_object_src_csp_header_set()
+ {
+ $resp = $this->get('/');
+ $scriptHeader = $this->getCspHeader($resp, 'object-src');
+ $this->assertEquals('object-src \'self\'', $scriptHeader);
+ }
+
+ public function test_base_uri_csp_header_set()
+ {
+ $resp = $this->get('/');
+ $scriptHeader = $this->getCspHeader($resp, 'base-uri');
+ $this->assertEquals('base-uri \'self\'', $scriptHeader);
+ }
+
/**
* Get the value of the first CSP header of the given type.
*/
projects / bookstack / commitdiff