From 362fc6c7dddf0522790f9774e6525362389e954b Mon Sep 17 00:00:00 2001
From: Diogo Peralta Cordeiro <mail@diogo.site>
Date: Sun, 2 Jan 2022 03:14:27 +0000
Subject: [PATCH] [CORE][Controller] Set some safe default headers for every
 response

---
 components/FreeNetwork/FreeNetwork.php | 12 ++++++------
 src/Core/Controller.php                | 22 ++++++++++++----------
 2 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/components/FreeNetwork/FreeNetwork.php b/components/FreeNetwork/FreeNetwork.php
index 9ad5021539..2ac081c620 100644
--- a/components/FreeNetwork/FreeNetwork.php
+++ b/components/FreeNetwork/FreeNetwork.php
@@ -54,8 +54,6 @@ use Component\FreeNetwork\Util\WebfingerResource;
 use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceActor;
 use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceNote;
 use Exception;
-use Plugin\ActivityPub\Entity\ActivitypubActivity;
-use Plugin\ActivityPub\Util\TypeResponse;
 use const PREG_SET_ORDER;
 use Symfony\Component\HttpFoundation\JsonResponse;
 use Symfony\Component\HttpFoundation\Response;
@@ -209,9 +207,8 @@ class FreeNetwork extends Component
             return Event::stop; // We got our target, stop handler execution
         }
 
-        $APNote = ActivitypubActivity::getByPK(['object_uri' => $resource]);
-        if ($APNote instanceof ActivitypubActivity) {
-            $target = new WebfingerResourceNote(Note::getByPK(['id' => $APNote->getObjectId()]));
+        if (!\is_null($note = DB::findOneBy(Note::class, ['url' => $resource], return_null: true))) {
+            $target = new WebfingerResourceNote($note);
             return Event::stop; // We got our target, stop handler execution
         }
 
@@ -270,7 +267,7 @@ class FreeNetwork extends Component
      * @throws ClientException
      * @throws ServerException
      */
-    public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?TypeResponse &$response = null): bool
+    public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?Response &$response = null): bool
     {
         if (!\in_array($route, ['freenetwork_hostmeta', 'freenetwork_hostmeta_format', 'freenetwork_webfinger', 'freenetwork_webfinger_format', 'freenetwork_ownerxrd'])) {
             return Event::next;
@@ -300,6 +297,9 @@ class FreeNetwork extends Component
             Discovery::XRD_MIMETYPE => new Response(content: $vars['xrd']->to('xml'), headers: $headers),
             Discovery::JRD_MIMETYPE, Discovery::JRD_MIMETYPE_OLD => new JsonResponse(data: $vars['xrd']->to('json'), headers: $headers, json: true),
         };
+
+        $response->headers->set('cache-control', 'no-store, no-cache, must-revalidate');
+
         return Event::stop;
     }
 
diff --git a/src/Core/Controller.php b/src/Core/Controller.php
index 841f17eb2e..95c19bec14 100644
--- a/src/Core/Controller.php
+++ b/src/Core/Controller.php
@@ -158,16 +158,6 @@ abstract class Controller extends AbstractController implements EventSubscriberI
             default: // html (assume if not specified)
                 if ($template !== null) {
                     $event->setResponse($this->render($template, $this->vars));
-
-                    /*                    // Setting the Content-Security-Policy response header
-                                        $policy = "default-src 'self';"
-                                            . "script-src 'strict-dynamic' https: http:;"
-                                            . "object-src 'none'; base-uri 'none'";
-                                        $potential_response = $event->getResponse();
-                                        $potential_response->headers->set('Content-Security-Policy', $policy);
-                                        $potential_response->headers->set('X-Content-Security-Policy', $policy);
-                                        $potential_response->headers->set('X-WebKit-CSP', $policy);*/
-
                     break;
                 } else {
                     throw new ClientException(_m('Unsupported format: {format}', ['format' => $format]), 406); // 406 Not Acceptable
@@ -180,6 +170,18 @@ abstract class Controller extends AbstractController implements EventSubscriberI
             $event->setResponse($potential_response); // @phpstan-ignore-line
         }
 
+        // Set some inoffensive headers to every controller
+        // TODO: If response already has this set, do not reset!
+        $event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
+        $event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
+        $event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
+        $event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN');
+        $event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
+        $policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
+        $event->getResponse()->headers->set('Content-Security-Policy', $policy);
+        $event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
+        $event->getResponse()->headers->set('X-WebKit-CSP', $policy);
+
         Event::handle('CleanupModule');
 
         return $event;