[CORE][Controller] Set some safe default headers for every response
This commit is contained in:
parent
046731a05a
commit
362fc6c7dd
@ -54,8 +54,6 @@ use Component\FreeNetwork\Util\WebfingerResource;
|
|||||||
use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceActor;
|
use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceActor;
|
||||||
use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceNote;
|
use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceNote;
|
||||||
use Exception;
|
use Exception;
|
||||||
use Plugin\ActivityPub\Entity\ActivitypubActivity;
|
|
||||||
use Plugin\ActivityPub\Util\TypeResponse;
|
|
||||||
use const PREG_SET_ORDER;
|
use const PREG_SET_ORDER;
|
||||||
use Symfony\Component\HttpFoundation\JsonResponse;
|
use Symfony\Component\HttpFoundation\JsonResponse;
|
||||||
use Symfony\Component\HttpFoundation\Response;
|
use Symfony\Component\HttpFoundation\Response;
|
||||||
@ -209,9 +207,8 @@ class FreeNetwork extends Component
|
|||||||
return Event::stop; // We got our target, stop handler execution
|
return Event::stop; // We got our target, stop handler execution
|
||||||
}
|
}
|
||||||
|
|
||||||
$APNote = ActivitypubActivity::getByPK(['object_uri' => $resource]);
|
if (!\is_null($note = DB::findOneBy(Note::class, ['url' => $resource], return_null: true))) {
|
||||||
if ($APNote instanceof ActivitypubActivity) {
|
$target = new WebfingerResourceNote($note);
|
||||||
$target = new WebfingerResourceNote(Note::getByPK(['id' => $APNote->getObjectId()]));
|
|
||||||
return Event::stop; // We got our target, stop handler execution
|
return Event::stop; // We got our target, stop handler execution
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -270,7 +267,7 @@ class FreeNetwork extends Component
|
|||||||
* @throws ClientException
|
* @throws ClientException
|
||||||
* @throws ServerException
|
* @throws ServerException
|
||||||
*/
|
*/
|
||||||
public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?TypeResponse &$response = null): bool
|
public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?Response &$response = null): bool
|
||||||
{
|
{
|
||||||
if (!\in_array($route, ['freenetwork_hostmeta', 'freenetwork_hostmeta_format', 'freenetwork_webfinger', 'freenetwork_webfinger_format', 'freenetwork_ownerxrd'])) {
|
if (!\in_array($route, ['freenetwork_hostmeta', 'freenetwork_hostmeta_format', 'freenetwork_webfinger', 'freenetwork_webfinger_format', 'freenetwork_ownerxrd'])) {
|
||||||
return Event::next;
|
return Event::next;
|
||||||
@ -300,6 +297,9 @@ class FreeNetwork extends Component
|
|||||||
Discovery::XRD_MIMETYPE => new Response(content: $vars['xrd']->to('xml'), headers: $headers),
|
Discovery::XRD_MIMETYPE => new Response(content: $vars['xrd']->to('xml'), headers: $headers),
|
||||||
Discovery::JRD_MIMETYPE, Discovery::JRD_MIMETYPE_OLD => new JsonResponse(data: $vars['xrd']->to('json'), headers: $headers, json: true),
|
Discovery::JRD_MIMETYPE, Discovery::JRD_MIMETYPE_OLD => new JsonResponse(data: $vars['xrd']->to('json'), headers: $headers, json: true),
|
||||||
};
|
};
|
||||||
|
|
||||||
|
$response->headers->set('cache-control', 'no-store, no-cache, must-revalidate');
|
||||||
|
|
||||||
return Event::stop;
|
return Event::stop;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -158,16 +158,6 @@ abstract class Controller extends AbstractController implements EventSubscriberI
|
|||||||
default: // html (assume if not specified)
|
default: // html (assume if not specified)
|
||||||
if ($template !== null) {
|
if ($template !== null) {
|
||||||
$event->setResponse($this->render($template, $this->vars));
|
$event->setResponse($this->render($template, $this->vars));
|
||||||
|
|
||||||
/* // Setting the Content-Security-Policy response header
|
|
||||||
$policy = "default-src 'self';"
|
|
||||||
. "script-src 'strict-dynamic' https: http:;"
|
|
||||||
. "object-src 'none'; base-uri 'none'";
|
|
||||||
$potential_response = $event->getResponse();
|
|
||||||
$potential_response->headers->set('Content-Security-Policy', $policy);
|
|
||||||
$potential_response->headers->set('X-Content-Security-Policy', $policy);
|
|
||||||
$potential_response->headers->set('X-WebKit-CSP', $policy);*/
|
|
||||||
|
|
||||||
break;
|
break;
|
||||||
} else {
|
} else {
|
||||||
throw new ClientException(_m('Unsupported format: {format}', ['format' => $format]), 406); // 406 Not Acceptable
|
throw new ClientException(_m('Unsupported format: {format}', ['format' => $format]), 406); // 406 Not Acceptable
|
||||||
@ -180,6 +170,18 @@ abstract class Controller extends AbstractController implements EventSubscriberI
|
|||||||
$event->setResponse($potential_response); // @phpstan-ignore-line
|
$event->setResponse($potential_response); // @phpstan-ignore-line
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Set some inoffensive headers to every controller
|
||||||
|
// TODO: If response already has this set, do not reset!
|
||||||
|
$event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()');
|
||||||
|
$event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;');
|
||||||
|
$event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie');
|
||||||
|
$event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN');
|
||||||
|
$event->getResponse()->headers->set('x-xss-protection', '1; mode=block');
|
||||||
|
$policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;";
|
||||||
|
$event->getResponse()->headers->set('Content-Security-Policy', $policy);
|
||||||
|
$event->getResponse()->headers->set('X-Content-Security-Policy', $policy);
|
||||||
|
$event->getResponse()->headers->set('X-WebKit-CSP', $policy);
|
||||||
|
|
||||||
Event::handle('CleanupModule');
|
Event::handle('CleanupModule');
|
||||||
|
|
||||||
return $event;
|
return $event;
|
||||||
|
Loading…
Reference in New Issue
Block a user