CSP security : Use report-uri directive to have more visibility on violations

desktop/common/js/utils.js

@@ -43,6 +43,17 @@ window.addEventListener('error', function(event) {
   $('#bt_jsErrorModal').show()
   $.hideLoading()
 })
+window.addEventListener("securitypolicyviolation", function(event) {
+  var uri = event.blockedURI;
+  var violation = event.originalPolicy.trim().split(';').find(e => e.trim().startsWith(event.violatedDirective)).trim();
+  if (event.disposition == 'enforce')
+    var msg = `{{Impossible de charger la ressource "${uri}", car elle va contre la directive de Content Security Policy :<br /> "${violation}"}}`;
+  else
+    var msg = `{{La ressource "${uri}" a été chargée, mais elle va contre la directive de Content Security Policy :<br /> "${violation}"}}`;
+  JS_ERROR.push({"filename": event.documentURI, "lineno": "0", "message": msg});
+  $('#bt_jsErrorModal').show();
+  $.hideLoading();
+});
 
 //UI Time display:
 setInterval(function() {

desktop/php/system.php

@@ -33,8 +33,8 @@
         <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command="w">w</a></li>
         <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command="dpkg -l">dpkg -l</a></li>
         <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command="netstat -tupln"> netstat -tupln</a></li>
-        <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command='sudo cp /var/www/html/install/apache_security_unsecure /etc/apache2/conf-available/security.conf;echo "systemctl restart apache2" | sudo at now'> {{Apache non securisé}}</a></li>
-        <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command='sudo cp /var/www/html/install/apache_security /etc/apache2/conf-available/security.conf;echo "systemctl restart apache2" | sudo at now'> {{Apache sécurisé}}</a></li>
+        <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command='sudo cp /var/www/html/install/apache_security_unsecure /etc/apache2/conf-available/security.conf;sudo a2enmod headers;echo "systemctl restart apache2" | sudo at now'> {{Apache non securisé}}</a></li>
+        <li class="cursor list-group-item list-group-item-success"><a class="bt_systemCommand" data-command='sudo cp /var/www/html/install/apache_security /etc/apache2/conf-available/security.conf;sudo a2enmod headers;echo "systemctl restart apache2" | sudo at now'> {{Apache sécurisé}}</a></li>
       </ul>
     </div>
   </div>

install/apache_security

@@ -9,6 +9,6 @@ Header set X-Frame-Options "sameorigin"
 Header set X-XSS-Protection "1; mode=block"
 Header unset X-Powered-By
 Header set Referrer-Policy: strict-origin-when-cross-origin
-Header set Permissions-Policy "accelerometer=(),battery=(),fullscreen=(self),geolocation=(), camera=(),ambient-light-sensor=(self), autoplay=(self)"
+Header set Permissions-Policy "accelerometer=(),battery=(),fullscreen=(self),geolocation=(),camera=(),ambient-light-sensor=(self),autoplay=(self)"
 Header set Content-Security-Policy "default-src 'self' file: data: blob: filesystem:;script-src-attr 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;img-src 'self' *.jeedom.com *.google.com *.google.fr data:;style-src 'self' 'unsafe-inline';style-src-attr 'self' 'unsafe-inline';worker-src blob:;frame-src 'self' *.jeedom.com *.google.com *.google.fr data:;"
 </IfModule>

install/apache_security_unsecure

@@ -1,4 +1,14 @@
 <Directory /var/www/html>
 Options -Indexes -ExecCGI -FollowSymLinks
 AllowOverride All
-</Directory>
+</Directory>
+
+<IfModule mod_headers.c>
+Header set X-Content-Type-Options "nosniff"
+Header set X-Frame-Options "sameorigin"
+Header set X-XSS-Protection "1; mode=block"
+Header unset X-Powered-By
+Header set Referrer-Policy: strict-origin-when-cross-origin
+Header set Permissions-Policy "accelerometer=(),battery=(),fullscreen=(self),geolocation=(),camera=(),ambient-light-sensor=(self),autoplay=(self)"
+Header set Content-Security-Policy-Report-Only "default-src 'self' file: data: blob: filesystem:;script-src-attr 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;script-src 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;script-src-elem 'self' 'unsafe-inline' 'unsafe-eval' *.google.com *.google.fr;img-src 'self' *.jeedom.com *.google.com *.google.fr data:;style-src 'self' 'unsafe-inline';style-src-attr 'self' 'unsafe-inline';worker-src blob:;frame-src 'self' *.jeedom.com *.google.com *.google.fr data:;"
+</IfModule>

install/update/4.3.0.php

@@ -0,0 +1,7 @@
+<?php
+require_once __DIR__ . '/../../core/php/core.inc.php';
+
+echo 'Ensure Content-Security-Policy (Report-Only) is enabled in apache';
+shell_exec('sudo a2enmod headers');
+shell_exec('grep -c "Content-Security-Policy" /etc/apache2/conf-available/security.conf > /dev/null 2>&1 || sudo cp /var/www/html/install/apache_security_unsecure /etc/apache2/conf-available/security.conf');
+shell_exec('echo "systemctl restart apache2" | sudo at now');