diff --git a/app/Config/App.php b/app/Config/App.php index 2eacd2de7..abed4897e 100644 --- a/app/Config/App.php +++ b/app/Config/App.php @@ -277,7 +277,7 @@ class App extends BaseConfig * @see http://www.html5rocks.com/en/tutorials/security/content-security-policy/ * @see http://www.w3.org/TR/CSP/ */ - public bool $CSPEnabled = false; + public bool $CSPEnabled = false; //TODO: Currently CSP3 tags are not supported so enabling this causes problems with script-src-elem, style-src-attr and style-src-elem public function __construct() { diff --git a/app/Config/ContentSecurityPolicy.php b/app/Config/ContentSecurityPolicy.php index 2ac41a70d..b71d9ff78 100644 --- a/app/Config/ContentSecurityPolicy.php +++ b/app/Config/ContentSecurityPolicy.php @@ -47,28 +47,45 @@ class ContentSecurityPolicy extends BaseConfig * * @var list|string|null */ - public $defaultSrc; + public $defaultSrc = [ + 'self', + 'www.google.com', + ]; /** * Lists allowed scripts' URLs. * * @var list|string */ - public $scriptSrc = 'self'; + public $scriptSrc = [ + 'self', + 'unsafe-inline', + 'unsafe-eval', + 'www.google.com www.gstatic.com' + ]; /** * Lists allowed stylesheets' URLs. * * @var list|string */ - public $styleSrc = 'self'; + public $styleSrc = [ + 'self', + 'unsafe-inline', + 'nonce-{csp-style-nonce}', + 'https://fonts.googleapis.com', + ]; - /** + /** * Defines the origins from which images can be loaded. * * @var list|string */ - public $imageSrc = 'self'; + public $imageSrc = [ + 'self', + 'data:', + 'blob:', + ]; /** * Restricts the URLs that can appear in a page's `` element. @@ -92,14 +109,21 @@ class ContentSecurityPolicy extends BaseConfig * * @var list|string */ - public $connectSrc = 'self'; + public $connectSrc = [ + 'self', + 'nominatim.openstreetmap.org', + ]; /** * Specifies the origins that can serve web fonts. * * @var list|string */ - public $fontSrc; + public $fontSrc = [ + 'self', + 'fonts.googleapis.com', + 'fonts.gstatic.com', + ]; /** * Lists valid endpoints for submission from `
` tags. @@ -138,14 +162,14 @@ class ContentSecurityPolicy extends BaseConfig * * @var list|string */ - public $objectSrc = 'self'; + public $objectSrc = 'none'; /** * @var list|string|null */ public $manifestSrc; - /** + /** * Limits the kinds of plugins a page may invoke. * * @var list|string|null diff --git a/public/.htaccess b/public/.htaccess index 0068903e3..f9bfc285b 100644 --- a/public/.htaccess +++ b/public/.htaccess @@ -68,7 +68,7 @@ Options All -Indexes Header always set X-Frame-Options "SAMEORIGIN" - Header add Content-Security-Policy "default-src 'self' www.google.com; connect-src 'self' nominatim.openstreetmap.org; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src 'self' data:; object-src 'none'; form-action 'self'" + Header add Content-Security-Policy "default-src 'self' www.google.com; connect-src 'self' nominatim.openstreetmap.org; script-src 'self' 'unsafe-inline' 'unsafe-eval' www.google.com www.gstatic.com; style-src 'self' 'unsafe-inline' fonts.googleapis.com; font-src 'self' fonts.googleapis.com fonts.gstatic.com; img-src 'self' data: blob:; object-src 'none'; form-action 'self'" Header set X-Content-Type-Options "nosniff" Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "DENY"