[Backoffice] Implement open Content Security Policy headers.

Clastic · Nov 3, 2015 · 747f963 · 747f963
1 parent ce5edfa
commit 747f963
Show file tree

Hide file tree

Showing 4 changed files with 154 additions and 63 deletions.
diff --git a/src/Clastic/BackofficeBundle/EventListener/ContentSecurityPolicyListener.php b/src/Clastic/BackofficeBundle/EventListener/ContentSecurityPolicyListener.php
@@ -0,0 +1,70 @@
+<?php
+
+/**
+ * This file is part of the Clastic package.
+ *
+ * (c) Dries De Peuter <dries@nousefreak.be>
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+namespace Clastic\BackofficeBundle\EventListener;
+
+use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
+
+/**
+ * @author Dries De Peuter <dries@nousefreak.be>
+ */
+class ContentSecurityPolicyListener
+{
+    private $environment;
+
+    public function __construct($environment)
+    {
+        $this->environment = $environment;
+    }
+
+    public function onKernelResponse(FilterResponseEvent $event)
+    {
+        $request = $event->getRequest();
+
+        if (!$event->isMasterRequest()) {
+            return;
+        }
+
+        if ($request->getRequestFormat() != 'html') {
+            return;
+        }
+
+        if (!preg_match('/^\/admin/', $request->getPathInfo())) {
+            return;
+        }
+
+        $event->getResponse()->headers->set('Content-Security-Policy', $this->buildOptions());
+    }
+
+    private function buildOptions()
+    {
+        $options = [
+            'default-src' => '',
+            'img-src'     => 'https://secure.gravatar.com',
+            'font-src'    => 'https://netdna.bootstrapcdn.com',
+
+            // Needed for CKeditor
+            'style-src'   => '\'unsafe-inline\'',
+            'script-src'  => '\'unsafe-inline\' \'unsafe-eval\'',
+
+            // Needed for jsTree
+            'child-src'  => 'blob:',
+        ];
+
+        if ($this->environment == 'dev') {
+            $options['img-src'] .= ' data:';
+        }
+
+        $options = array_map(function ($value, $key) {
+            return trim(sprintf('%s \'self\' %s', $key, $value));
+        }, $options, array_keys($options));
+
+        return implode('; ', $options);
+    }
+}
diff --git a/src/Clastic/BackofficeBundle/Resources/config/services.form.xml b/src/Clastic/BackofficeBundle/Resources/config/services.form.xml
@@ -0,0 +1,73 @@
+<?xml version="1.0" ?>
+
+<container xmlns="http://symfony.com/schema/dic/services"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
+
+    <parameters>
+        <parameter key="clastic.backoffice.type.tabs.class">Clastic\BackofficeBundle\Form\Type\TabsType</parameter>
+        <parameter key="clastic.backoffice.type.tabs_tab.class">Clastic\BackofficeBundle\Form\Type\TabsTabType</parameter>
+        <parameter key="clastic.backoffice.type.tabs_tab_actions.class">Clastic\BackofficeBundle\Form\Type\TabsTabActionsType</parameter>
+        <parameter key="clastic.backoffice.type.multi_select.class">Clastic\BackofficeBundle\Form\Type\MultiSelectType</parameter>
+        <parameter key="clastic.backoffice.type.wysiwyg.class">Clastic\BackofficeBundle\Form\Type\WysiwygType</parameter>
+        <parameter key="clastic.backoffice.type.datepicker.class">Clastic\BackofficeBundle\Form\Type\DatePickerType</parameter>
+        <parameter key="clastic.backoffice.type.entity_hidden.class">Clastic\BackofficeBundle\Form\Type\EntityHiddenType</parameter>
+        <parameter key="clastic.backoffice.type.entity_multi_select.class">Clastic\BackofficeBundle\Form\Type\EntityMultiSelectType</parameter>
+        <parameter key="clastic.backoffice.type.tree.class">Clastic\BackofficeBundle\Form\Type\TreeType</parameter>
+        <parameter key="clastic.backoffice.type.settings.class">Clastic\BackofficeBundle\Form\Type\SettingsFormType</parameter>
+        <parameter key="clastic.backoffice.type.fieldset.class">Clastic\BackofficeBundle\Form\Type\FieldsetType</parameter>
+        <parameter key="clastic.backoffice.type.link.class">Clastic\BackofficeBundle\Form\Type\LinkType</parameter>
+        <parameter key="clastic.backoffice.node.form_build.class">Clastic\BackofficeBundle\EventListener\NodeFormBuildListener</parameter>
+    </parameters>
+
+    <services>
+        <service id="clastic.backoffice.type.tabs" class="%clastic.backoffice.type.tabs.class%">
+            <tag name="form.type" alias="tabs" />
+        </service>
+
+        <service id="clastic.backoffice.type.tabs_tab" class="%clastic.backoffice.type.tabs_tab.class%">
+            <tag name="form.type" alias="tabs_tab" />
+        </service>
+
+        <service id="clastic.backoffice.type.tabs_tab_actions" class="%clastic.backoffice.type.tabs_tab_actions.class%">
+            <tag name="form.type" alias="tabs_tab_actions" />
+        </service>
+
+        <service id="clastic.backoffice.type.multi_select" class="%clastic.backoffice.type.multi_select.class%">
+            <tag name="form.type" alias="multi_select" />
+        </service>
+
+        <service id="clastic.backoffice.type.wysiwyg" class="%clastic.backoffice.type.wysiwyg.class%">
+            <tag name="form.type" alias="wysiwyg" />
+        </service>
+
+        <service id="clastic.backoffice.type.datepicker" class="%clastic.backoffice.type.datepicker.class%">
+            <tag name="form.type" alias="datepicker" />
+        </service>
+
+        <service id="clastic.backoffice.type.entity_hidden" class="%clastic.backoffice.type.entity_hidden.class%">
+            <tag name="form.type" alias="entity_hidden" />
+            <argument type="service" id="doctrine.orm.entity_manager"/>
+        </service>
+
+        <service id="clastic.backoffice.type.entity_multi_select" class="%clastic.backoffice.type.entity_multi_select.class%">
+            <tag name="form.type" alias="entity_multi_select" />
+        </service>
+
+        <service id="clastic.backoffice.type.tree" class="%clastic.backoffice.type.tree.class%">
+            <tag name="form.type" alias="tree" />
+        </service>
+
+        <service id="clastic.backoffice.type.settings" class="%clastic.backoffice.type.settings.class%">
+            <tag name="form.type" alias="clastic_settings" />
+        </service>
+
+        <service id="clastic.backoffice.type.fieldset" class="%clastic.backoffice.type.fieldset.class%">
+            <tag name="form.type" alias="fieldset" />
+        </service>
+
+        <service id="clastic.backoffice.type.link" class="%clastic.backoffice.type.link.class%">
+            <tag name="form.type" alias="link" />
+        </service>
+    </services>
+</container>
diff --git a/src/Clastic/BackofficeBundle/Resources/config/services.xml b/src/Clastic/BackofficeBundle/Resources/config/services.xml
@@ -4,75 +4,18 @@
     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
 
+    <imports>
+        <import resource="./services.form.xml"/>
+    </imports>
+
     <parameters>
-        <parameter key="clastic.backoffice.type.tabs.class">Clastic\BackofficeBundle\Form\Type\TabsType</parameter>
-        <parameter key="clastic.backoffice.type.tabs_tab.class">Clastic\BackofficeBundle\Form\Type\TabsTabType</parameter>
-        <parameter key="clastic.backoffice.type.tabs_tab_actions.class">Clastic\BackofficeBundle\Form\Type\TabsTabActionsType</parameter>
-        <parameter key="clastic.backoffice.type.multi_select.class">Clastic\BackofficeBundle\Form\Type\MultiSelectType</parameter>
-        <parameter key="clastic.backoffice.type.wysiwyg.class">Clastic\BackofficeBundle\Form\Type\WysiwygType</parameter>
-        <parameter key="clastic.backoffice.type.datepicker.class">Clastic\BackofficeBundle\Form\Type\DatePickerType</parameter>
-        <parameter key="clastic.backoffice.type.entity_hidden.class">Clastic\BackofficeBundle\Form\Type\EntityHiddenType</parameter>
-        <parameter key="clastic.backoffice.type.entity_multi_select.class">Clastic\BackofficeBundle\Form\Type\EntityMultiSelectType</parameter>
-        <parameter key="clastic.backoffice.type.tree.class">Clastic\BackofficeBundle\Form\Type\TreeType</parameter>
-        <parameter key="clastic.backoffice.type.settings.class">Clastic\BackofficeBundle\Form\Type\SettingsFormType</parameter>
-        <parameter key="clastic.backoffice.type.fieldset.class">Clastic\BackofficeBundle\Form\Type\FieldsetType</parameter>
-        <parameter key="clastic.backoffice.type.link.class">Clastic\BackofficeBundle\Form\Type\LinkType</parameter>
-        <parameter key="clastic.backoffice.node.form_build.class">Clastic\BackofficeBundle\EventListener\NodeFormBuildListener</parameter>
         <parameter key="clastic.backoffice.twig.avatar_extension.class">Clastic\BackofficeBundle\Twig\AvatarExtension</parameter>
         <parameter key="clastic.backoffice.exception_listener.class">Clastic\BackofficeBundle\EventListener\ExceptionListener</parameter>
         <parameter key="clastic.backoffice.controller.exception.class">Clastic\BackofficeBundle\Controller\ExceptionController</parameter>
+        <parameter key="clastic.backoffice.response_listener.csp.class">Clastic\BackofficeBundle\EventListener\ContentSecurityPolicyListener</parameter>
     </parameters>
 
     <services>
-        <service id="clastic.backoffice.type.tabs" class="%clastic.backoffice.type.tabs.class%">
-            <tag name="form.type" alias="tabs" />
-        </service>
-
-        <service id="clastic.backoffice.type.tabs_tab" class="%clastic.backoffice.type.tabs_tab.class%">
-            <tag name="form.type" alias="tabs_tab" />
-        </service>
-
-        <service id="clastic.backoffice.type.tabs_tab_actions" class="%clastic.backoffice.type.tabs_tab_actions.class%">
-            <tag name="form.type" alias="tabs_tab_actions" />
-        </service>
-
-        <service id="clastic.backoffice.type.multi_select" class="%clastic.backoffice.type.multi_select.class%">
-            <tag name="form.type" alias="multi_select" />
-        </service>
-
-        <service id="clastic.backoffice.type.wysiwyg" class="%clastic.backoffice.type.wysiwyg.class%">
-            <tag name="form.type" alias="wysiwyg" />
-        </service>
-
-        <service id="clastic.backoffice.type.datepicker" class="%clastic.backoffice.type.datepicker.class%">
-            <tag name="form.type" alias="datepicker" />
-        </service>
-
-        <service id="clastic.backoffice.type.entity_hidden" class="%clastic.backoffice.type.entity_hidden.class%">
-            <tag name="form.type" alias="entity_hidden" />
-            <argument type="service" id="doctrine.orm.entity_manager"/>
-        </service>
-
-        <service id="clastic.backoffice.type.entity_multi_select" class="%clastic.backoffice.type.entity_multi_select.class%">
-            <tag name="form.type" alias="entity_multi_select" />
-        </service>
-
-        <service id="clastic.backoffice.type.tree" class="%clastic.backoffice.type.tree.class%">
-            <tag name="form.type" alias="tree" />
-        </service>
-
-        <service id="clastic.backoffice.type.settings" class="%clastic.backoffice.type.settings.class%">
-            <tag name="form.type" alias="clastic_settings" />
-        </service>
-
-        <service id="clastic.backoffice.type.fieldset" class="%clastic.backoffice.type.fieldset.class%">
-            <tag name="form.type" alias="fieldset" />
-        </service>
-
-        <service id="clastic.backoffice.type.link" class="%clastic.backoffice.type.link.class%">
-            <tag name="form.type" alias="link" />
-        </service>
-
         <service id="clastic.backoffice.twig.avatar_extension" class="%clastic.backoffice.twig.avatar_extension.class%">
             <tag name="twig.extension" />
             <argument type="service" id="security.token_storage" />
@@ -91,5 +34,10 @@
             <argument type="service" id="security.context" />
             <argument type="service" id="router" />
         </service>
+
+        <service id="clastic.backoffice.response_listener.csp" class="%clastic.backoffice.response_listener.csp.class%">
+            <tag name="kernel.event_listener" event="kernel.response" method="onKernelResponse" />
+            <argument>%kernel.environment%</argument>
+        </service>
     </services>
 </container>
diff --git a/src/Clastic/BackofficeBundle/Resources/public/styles/font-awesome.less b/src/Clastic/BackofficeBundle/Resources/public/styles/font-awesome.less
@@ -5,7 +5,7 @@
 @fontawesome_path: '@{vendor_path}/fontawesome/less';
 
 @import "@{fontawesome_path}/variables.less";
-@fa-font-path:        "//netdna.bootstrapcdn.com/font-awesome/4.2.0/fonts";
+@fa-font-path: "https://netdna.bootstrapcdn.com/font-awesome/4.2.0/fonts";
 @import "@{fontawesome_path}/mixins.less";
 @import "@{fontawesome_path}/path.less";
 @import "@{fontawesome_path}/core.less";