GNUsocial/gnu-social
4
0
Fork 1
Code Issues Releases Wiki Activity

[CORE][Controller] Set some safe default headers for every response

Browse Source
This commit is contained in:
Diogo Peralta Cordeiro
2022-01-02 03:14:27 +00:00
parent 046731a05a
commit 362fc6c7dd
2 changed files with 18 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
src/Core/Controller.php
View File

@@ -158,16 +158,6 @@ abstract class Controller extends AbstractController implements EventSubscriberI
default: // html (assume if not specified)
if ($template !== null) {
$event->setResponse($this->render($template, $this->vars));
/* // Setting the Content-Security-Policy response header
$policy = "default-src 'self';"
. "script-src 'strict-dynamic' https: http:;"
. "object-src 'none'; base-uri 'none'";
$potential_response = $event->getResponse();
$potential_response->headers->set('Content-Security-Policy', $policy);
$potential_response->headers->set('X-Content-Security-Policy', $policy);
$potential_response->headers->set('X-WebKit-CSP', $policy);*/
break;
} else {
throw new ClientException(_m('Unsupported format: {format}', ['format' => $format]), 406); // 406 Not Acceptable
@@ -180,6 +170,18 @@ abstract class Controller extends AbstractController implements EventSubscriberI
$event->setResponse($potential_response); // @phpstan-ignore-line
}
// Set some inoffensive headers to every controller
// TODO: If response already has this set, do not reset!
$event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
$event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
$event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
$event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN');
$event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
$policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
$event->getResponse()->headers->set('Content-Security-Policy', $policy);
$event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
$event->getResponse()->headers->set('X-WebKit-CSP', $policy);
Event::handle('CleanupModule');
return $event;