Added a couple of additional CSP rules

As per guidance from google's CSP evaluator.

diff --git a/app/Http/Middleware/ApplyCspRules.php b/app/Http/Middleware/ApplyCspRules.php
index 4c2b1e1da0d5587fc26f7fe0ddf30ca17cd062a6..a65d12a05ca4bb54c2bb410d309a24a7882da921 100644 (file)
--- a/app/Http/Middleware/ApplyCspRules.php
+++ b/app/Http/Middleware/ApplyCspRules.php
@@ -38,6 +38,8 @@ class ApplyCspRules
 
         $this->cspService->setFrameAncestors($response);
         $this->cspService->setScriptSrc($response);
 
         $this->cspService->setFrameAncestors($response);
         $this->cspService->setScriptSrc($response);

+        $this->cspService->setObjectSrc($response);
+        $this->cspService->setBaseUri($response);

 
         return $response;
     }
 
         return $response;
     }

diff --git a/app/Util/CspService.php b/app/Util/CspService.php
index 2728aae44dd8673eceef87b5498c95f485cc2451..2979ebc3e1b2c3a5a793d6cd06666c73361840dd 100644 (file)
--- a/app/Util/CspService.php
+++ b/app/Util/CspService.php
@@ -34,9 +34,12 @@ class CspService
         }
 
         $parts = [
         }
 
         $parts = [

+            'http:',
+            'https:',

             '\'nonce-' . $this->nonce . '\'',
             '\'strict-dynamic\'',
         ];
             '\'nonce-' . $this->nonce . '\'',
             '\'strict-dynamic\'',
         ];

+

         $value = 'script-src ' . implode(' ', $parts);
         $response->headers->set('Content-Security-Policy', $value, false);
     }
         $value = 'script-src ' . implode(' ', $parts);
         $response->headers->set('Content-Security-Policy', $value, false);
     }


@@ -62,6 +65,27 @@ class CspService
         return count($this->getAllowedIframeHosts()) > 0;
     }
 
         return count($this->getAllowedIframeHosts()) > 0;
     }
 

+    /**
+     * Sets CSP 'object-src' headers to restrict the types of dynamic content
+     * that can be embedded on the page.
+     */
+    public function setObjectSrc(Response $response)
+    {
+        if (config('app.allow_content_scripts')) {
+            return;
+        }
+
+        $response->headers->set('Content-Security-Policy', 'object-src \'self\'', false);
+    }
+
+    /**
+     * Sets CSP 'base-uri' headers to restrict what base tags can be set on
+     * the page to prevent manipulation of relative links.
+     */
+    public function setBaseUri(Response $response)
+    {
+        $response->headers->set('Content-Security-Policy', 'base-uri \'self\'', false);
+    }

 
     protected function getAllowedIframeHosts(): array
     {
 
     protected function getAllowedIframeHosts(): array
     {

diff --git a/tests/SecurityHeaderTest.php b/tests/SecurityHeaderTest.php
index 57f4ab0df3fd7dc33f8031415b0181b3519d99f4..fe25ef3f00b6a95de8021c7f99b53a82495a910b 100644 (file)
--- a/tests/SecurityHeaderTest.php
+++ b/tests/SecurityHeaderTest.php
@@ -105,6 +105,20 @@ class SecurityHeaderTest extends TestCase
         $this->assertNotEmpty($scriptHeader);
     }
 
         $this->assertNotEmpty($scriptHeader);
     }
 

+    public function test_object_src_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'object-src');
+        $this->assertEquals('object-src \'self\'', $scriptHeader);
+    }
+
+    public function test_base_uri_csp_header_set()
+    {
+        $resp = $this->get('/');
+        $scriptHeader = $this->getCspHeader($resp, 'base-uri');
+        $this->assertEquals('base-uri \'self\'', $scriptHeader);
+    }
+

     /**
      * Get the value of the first CSP header of the given type.
      */
     /**
      * Get the value of the first CSP header of the given type.
      */