GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[CORE][Controller] Added Content-Security-Policy response header.

Browse Source
This commit is contained in:
Eliseu Amaro 2021-11-17 00:49:23 +00:00
parent e1b9ab4b9a
commit 1d31bd651e
Signed by: eliseuamaro
GPG Key ID: 96DA09D4B97BC2D5
1 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
src/Core/Controller.php
View File

@ -37,6 +37,7 @@ use function App\Core\I18n\_m;
use App\Util\Common; use App\Util\Common;
use App\Util\Exception\ClientException; use App\Util\Exception\ClientException;
use App\Util\Exception\RedirectException; use App\Util\Exception\RedirectException;
use App\Util\Exception\ServerException;
use Exception; use Exception;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController; use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\EventDispatcher\EventSubscriberInterface; use Symfony\Component\EventDispatcher\EventSubscriberInterface;
@ -44,6 +45,7 @@ use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\RedirectResponse;
use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\HttpKernel\Event\ControllerEvent; use Symfony\Component\HttpKernel\Event\ControllerEvent;
use Symfony\Component\HttpKernel\Event\ExceptionEvent; use Symfony\Component\HttpKernel\Event\ExceptionEvent;
use Symfony\Component\HttpKernel\Event\ViewEvent; use Symfony\Component\HttpKernel\Event\ViewEvent;
@ -107,6 +109,9 @@ abstract class Controller extends AbstractController implements EventSubscriberI
/** /**
* Symfony event when the controller result is not a Response object * Symfony event when the controller result is not a Response object
*
* @throws ClientException
* @throws ServerException
*/ */
public function onKernelView(ViewEvent $event) public function onKernelView(ViewEvent $event)
{ {
@ -126,10 +131,9 @@ abstract class Controller extends AbstractController implements EventSubscriberI
unset($this->vars['_template'], $response['_template']); unset($this->vars['_template'], $response['_template']);
// Respond in the most preferred acceptable content type // Respond in the most preferred acceptable content type
$route = $request->get('_route'); $route = $request->get('_route');
$accept = $request->getAcceptableContentTypes() ?: ['text/html']; $accept = $request->getAcceptableContentTypes() ?: ['text/html'];
$format = $request->getFormat($accept[0]); $format = $request->getFormat($accept[0]);
$potential_response = null; $potential_response = null;
if (Event::handle('ControllerResponseInFormat', [ if (Event::handle('ControllerResponseInFormat', [
'route' => $route, 'route' => $route,
@ -144,6 +148,15 @@ abstract class Controller extends AbstractController implements EventSubscriberI
case 'html': case 'html':
if ($template !== null) { if ($template !== null) {
$event->setResponse($this->render($template, $this->vars)); $event->setResponse($this->render($template, $this->vars));
// Setting the Content-Security-Policy response header
$policy = "default-src 'self' 'unsafe-inline';"
. "script-src 'self' 'unsafe-inline'";
$potential_response = $event->getResponse();
$potential_response->headers->set('Content-Security-Policy', $policy);
$potential_response->headers->set('X-Content-Security-Policy', $policy);
$potential_response->headers->set('X-WebKit-CSP', $policy);
break; break;
} else { } else {
// no break, goto default // no break, goto default