-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[Backoffice] Implement open Content Security Policy headers.
- Loading branch information
1 parent
ce5edfa
commit 747f963
Showing
4 changed files
with
154 additions
and
63 deletions.
There are no files selected for viewing
70 changes: 70 additions & 0 deletions
70
src/Clastic/BackofficeBundle/EventListener/ContentSecurityPolicyListener.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,70 @@ | ||
<?php | ||
|
||
/** | ||
* This file is part of the Clastic package. | ||
* | ||
* (c) Dries De Peuter <dries@nousefreak.be> | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
namespace Clastic\BackofficeBundle\EventListener; | ||
|
||
use Symfony\Component\HttpKernel\Event\FilterResponseEvent; | ||
|
||
/** | ||
* @author Dries De Peuter <dries@nousefreak.be> | ||
*/ | ||
class ContentSecurityPolicyListener | ||
{ | ||
private $environment; | ||
|
||
public function __construct($environment) | ||
{ | ||
$this->environment = $environment; | ||
} | ||
|
||
public function onKernelResponse(FilterResponseEvent $event) | ||
{ | ||
$request = $event->getRequest(); | ||
|
||
if (!$event->isMasterRequest()) { | ||
return; | ||
} | ||
|
||
if ($request->getRequestFormat() != 'html') { | ||
return; | ||
} | ||
|
||
if (!preg_match('/^\/admin/', $request->getPathInfo())) { | ||
return; | ||
} | ||
|
||
$event->getResponse()->headers->set('Content-Security-Policy', $this->buildOptions()); | ||
} | ||
|
||
private function buildOptions() | ||
{ | ||
$options = [ | ||
'default-src' => '', | ||
'img-src' => 'https://secure.gravatar.com', | ||
'font-src' => 'https://netdna.bootstrapcdn.com', | ||
|
||
// Needed for CKeditor | ||
'style-src' => '\'unsafe-inline\'', | ||
'script-src' => '\'unsafe-inline\' \'unsafe-eval\'', | ||
|
||
// Needed for jsTree | ||
'child-src' => 'blob:', | ||
]; | ||
|
||
if ($this->environment == 'dev') { | ||
$options['img-src'] .= ' data:'; | ||
} | ||
|
||
$options = array_map(function ($value, $key) { | ||
return trim(sprintf('%s \'self\' %s', $key, $value)); | ||
}, $options, array_keys($options)); | ||
|
||
return implode('; ', $options); | ||
} | ||
} |
73 changes: 73 additions & 0 deletions
73
src/Clastic/BackofficeBundle/Resources/config/services.form.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
<?xml version="1.0" ?> | ||
|
||
<container xmlns="http://symfony.com/schema/dic/services" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd"> | ||
|
||
<parameters> | ||
<parameter key="clastic.backoffice.type.tabs.class">Clastic\BackofficeBundle\Form\Type\TabsType</parameter> | ||
<parameter key="clastic.backoffice.type.tabs_tab.class">Clastic\BackofficeBundle\Form\Type\TabsTabType</parameter> | ||
<parameter key="clastic.backoffice.type.tabs_tab_actions.class">Clastic\BackofficeBundle\Form\Type\TabsTabActionsType</parameter> | ||
<parameter key="clastic.backoffice.type.multi_select.class">Clastic\BackofficeBundle\Form\Type\MultiSelectType</parameter> | ||
<parameter key="clastic.backoffice.type.wysiwyg.class">Clastic\BackofficeBundle\Form\Type\WysiwygType</parameter> | ||
<parameter key="clastic.backoffice.type.datepicker.class">Clastic\BackofficeBundle\Form\Type\DatePickerType</parameter> | ||
<parameter key="clastic.backoffice.type.entity_hidden.class">Clastic\BackofficeBundle\Form\Type\EntityHiddenType</parameter> | ||
<parameter key="clastic.backoffice.type.entity_multi_select.class">Clastic\BackofficeBundle\Form\Type\EntityMultiSelectType</parameter> | ||
<parameter key="clastic.backoffice.type.tree.class">Clastic\BackofficeBundle\Form\Type\TreeType</parameter> | ||
<parameter key="clastic.backoffice.type.settings.class">Clastic\BackofficeBundle\Form\Type\SettingsFormType</parameter> | ||
<parameter key="clastic.backoffice.type.fieldset.class">Clastic\BackofficeBundle\Form\Type\FieldsetType</parameter> | ||
<parameter key="clastic.backoffice.type.link.class">Clastic\BackofficeBundle\Form\Type\LinkType</parameter> | ||
<parameter key="clastic.backoffice.node.form_build.class">Clastic\BackofficeBundle\EventListener\NodeFormBuildListener</parameter> | ||
</parameters> | ||
|
||
<services> | ||
<service id="clastic.backoffice.type.tabs" class="%clastic.backoffice.type.tabs.class%"> | ||
<tag name="form.type" alias="tabs" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.tabs_tab" class="%clastic.backoffice.type.tabs_tab.class%"> | ||
<tag name="form.type" alias="tabs_tab" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.tabs_tab_actions" class="%clastic.backoffice.type.tabs_tab_actions.class%"> | ||
<tag name="form.type" alias="tabs_tab_actions" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.multi_select" class="%clastic.backoffice.type.multi_select.class%"> | ||
<tag name="form.type" alias="multi_select" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.wysiwyg" class="%clastic.backoffice.type.wysiwyg.class%"> | ||
<tag name="form.type" alias="wysiwyg" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.datepicker" class="%clastic.backoffice.type.datepicker.class%"> | ||
<tag name="form.type" alias="datepicker" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.entity_hidden" class="%clastic.backoffice.type.entity_hidden.class%"> | ||
<tag name="form.type" alias="entity_hidden" /> | ||
<argument type="service" id="doctrine.orm.entity_manager"/> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.entity_multi_select" class="%clastic.backoffice.type.entity_multi_select.class%"> | ||
<tag name="form.type" alias="entity_multi_select" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.tree" class="%clastic.backoffice.type.tree.class%"> | ||
<tag name="form.type" alias="tree" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.settings" class="%clastic.backoffice.type.settings.class%"> | ||
<tag name="form.type" alias="clastic_settings" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.fieldset" class="%clastic.backoffice.type.fieldset.class%"> | ||
<tag name="form.type" alias="fieldset" /> | ||
</service> | ||
|
||
<service id="clastic.backoffice.type.link" class="%clastic.backoffice.type.link.class%"> | ||
<tag name="form.type" alias="link" /> | ||
</service> | ||
</services> | ||
</container> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters