From 362fc6c7dddf0522790f9774e6525362389e954b Mon Sep 17 00:00:00 2001 From: Diogo Peralta Cordeiro Date: Sun, 2 Jan 2022 03:14:27 +0000 Subject: [PATCH] [CORE][Controller] Set some safe default headers for every response --- components/FreeNetwork/FreeNetwork.php | 12 ++++++------ src/Core/Controller.php | 22 ++++++++++++---------- 2 files changed, 18 insertions(+), 16 deletions(-) diff --git a/components/FreeNetwork/FreeNetwork.php b/components/FreeNetwork/FreeNetwork.php index 9ad5021539..2ac081c620 100644 --- a/components/FreeNetwork/FreeNetwork.php +++ b/components/FreeNetwork/FreeNetwork.php @@ -54,8 +54,6 @@ use Component\FreeNetwork\Util\WebfingerResource; use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceActor; use Component\FreeNetwork\Util\WebfingerResource\WebfingerResourceNote; use Exception; -use Plugin\ActivityPub\Entity\ActivitypubActivity; -use Plugin\ActivityPub\Util\TypeResponse; use const PREG_SET_ORDER; use Symfony\Component\HttpFoundation\JsonResponse; use Symfony\Component\HttpFoundation\Response; @@ -209,9 +207,8 @@ class FreeNetwork extends Component return Event::stop; // We got our target, stop handler execution } - $APNote = ActivitypubActivity::getByPK(['object_uri' => $resource]); - if ($APNote instanceof ActivitypubActivity) { - $target = new WebfingerResourceNote(Note::getByPK(['id' => $APNote->getObjectId()])); + if (!\is_null($note = DB::findOneBy(Note::class, ['url' => $resource], return_null: true))) { + $target = new WebfingerResourceNote($note); return Event::stop; // We got our target, stop handler execution } @@ -270,7 +267,7 @@ class FreeNetwork extends Component * @throws ClientException * @throws ServerException */ - public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?TypeResponse &$response = null): bool + public function onControllerResponseInFormat(string $route, array $accept_header, array $vars, ?Response &$response = null): bool { if (!\in_array($route, ['freenetwork_hostmeta', 'freenetwork_hostmeta_format', 'freenetwork_webfinger', 'freenetwork_webfinger_format', 'freenetwork_ownerxrd'])) { return Event::next; @@ -300,6 +297,9 @@ class FreeNetwork extends Component Discovery::XRD_MIMETYPE => new Response(content: $vars['xrd']->to('xml'), headers: $headers), Discovery::JRD_MIMETYPE, Discovery::JRD_MIMETYPE_OLD => new JsonResponse(data: $vars['xrd']->to('json'), headers: $headers, json: true), }; + + $response->headers->set('cache-control', 'no-store, no-cache, must-revalidate'); + return Event::stop; } diff --git a/src/Core/Controller.php b/src/Core/Controller.php index 841f17eb2e..95c19bec14 100644 --- a/src/Core/Controller.php +++ b/src/Core/Controller.php @@ -158,16 +158,6 @@ abstract class Controller extends AbstractController implements EventSubscriberI default: // html (assume if not specified) if ($template !== null) { $event->setResponse($this->render($template, $this->vars)); - - /* // Setting the Content-Security-Policy response header - $policy = "default-src 'self';" - . "script-src 'strict-dynamic' https: http:;" - . "object-src 'none'; base-uri 'none'"; - $potential_response = $event->getResponse(); - $potential_response->headers->set('Content-Security-Policy', $policy); - $potential_response->headers->set('X-Content-Security-Policy', $policy); - $potential_response->headers->set('X-WebKit-CSP', $policy);*/ - break; } else { throw new ClientException(_m('Unsupported format: {format}', ['format' => $format]), 406); // 406 Not Acceptable @@ -180,6 +170,18 @@ abstract class Controller extends AbstractController implements EventSubscriberI $event->setResponse($potential_response); // @phpstan-ignore-line } + // Set some inoffensive headers to every controller + // TODO: If response already has this set, do not reset! + $event->getResponse()->headers->set('permissions-policy', 'interest-cohort=()'); + $event->getResponse()->headers->set('strict-transport-security', 'max-age=15768000; preload;'); + $event->getResponse()->headers->set('vary', 'Accept-Encoding,Cookie'); + $event->getResponse()->headers->set('x-frame-options', 'SAMEORIGIN'); + $event->getResponse()->headers->set('x-xss-protection', '1; mode=block'); + $policy = "default-src 'self' 'unsafe-inline'; frame-ancestors 'self'; form-action 'self'; style-src 'self' 'unsafe-inline'; img-src * blob: data:;"; + $event->getResponse()->headers->set('Content-Security-Policy', $policy); + $event->getResponse()->headers->set('X-Content-Security-Policy', $policy); + $event->getResponse()->headers->set('X-WebKit-CSP', $policy); + Event::handle('CleanupModule'); return $event;