mirror of
https://github.com/snipe/snipe-it.git
synced 2024-12-24 21:24:13 -08:00
Merge branch 'csp-middleware' into develop
This commit is contained in:
commit
9ce2d1f560
|
@ -63,7 +63,13 @@ ENCRYPT=false
|
|||
COOKIE_NAME=snipeit_session
|
||||
COOKIE_DOMAIN=null
|
||||
SECURE_COOKIES=false
|
||||
|
||||
|
||||
# --------------------------------------------
|
||||
# OPTIONAL: SECURITY HEADER SETTINGS
|
||||
# --------------------------------------------
|
||||
REFERRER_POLICY=strict-origin
|
||||
DISABLE_CSP=false
|
||||
|
||||
|
||||
# --------------------------------------------
|
||||
|
|
|
@ -20,6 +20,7 @@ class Kernel extends HttpKernel
|
|||
\App\Http\Middleware\FrameGuard::class,
|
||||
\App\Http\Middleware\XssProtectHeader::class,
|
||||
\App\Http\Middleware\ReferrerPolicyHeader::class,
|
||||
\App\Http\Middleware\ContentSecurityPolicyHeader::class,
|
||||
\App\Http\Middleware\NosniffGuard::class,
|
||||
\App\Http\Middleware\CheckForSetup::class,
|
||||
\Fideloper\Proxy\TrustProxies::class,
|
||||
|
|
35
app/Http/Middleware/ContentSecurityPolicyHeader.php
Normal file
35
app/Http/Middleware/ContentSecurityPolicyHeader.php
Normal file
|
@ -0,0 +1,35 @@
|
|||
<?php
|
||||
namespace App\Http\Middleware;
|
||||
|
||||
use Closure;
|
||||
|
||||
class ContentSecurityPolicyHeader
|
||||
{
|
||||
/**
|
||||
* Handle the given request and get the response.
|
||||
*
|
||||
* @param \Illuminate\Http\Request $request
|
||||
* @param \Closure $next
|
||||
* @return \Illuminate\Http\Response
|
||||
*/
|
||||
public function handle($request, Closure $next)
|
||||
{
|
||||
if (config('app.disable_csp')=='true') {
|
||||
$response = $next($request);
|
||||
return $response;
|
||||
}
|
||||
|
||||
$policy[] = "default-src 'self'";
|
||||
$policy[] = "style-src 'self' 'unsafe-inline' oss.maxcdn.com";
|
||||
$policy[] = "script-src 'self' oss.mafxcdn.com cdnjs.cloudflare.com 'nonce-".csrf_token()."'";
|
||||
$policy[] = "connect-src 'self'";
|
||||
$policy[] = "object-src 'none'";
|
||||
$policy[] = "font-src 'self' data:";
|
||||
$policy[] = "img-src 'self' data: gravatar.com";
|
||||
$policy = join(';', $policy);
|
||||
|
||||
$response = $next($request);
|
||||
$response->headers->set('Content-Security-Policy', $policy);
|
||||
return $response;
|
||||
}
|
||||
}
|
|
@ -169,6 +169,24 @@ return [
|
|||
|
||||
'referrer_policy' => env('REFERRER_POLICY', 'strict-origin'),
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
| CSP
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
||||
| Disable the content security policy that restricts what scripts, images
|
||||
| and styles can load. (This should be left as false if you don't know
|
||||
| what this means.)
|
||||
|
|
||||
| Read more: https://www.w3.org/TR/CSP/
|
||||
| Read more: https://content-security-policy.com
|
||||
|
|
||||
*/
|
||||
|
||||
'disable_csp' => env('DISABLE_CSP', false),
|
||||
|
||||
|
||||
|
||||
|
||||
/*
|
||||
|--------------------------------------------------------------------------
|
||||
|
|
|
@ -5,10 +5,12 @@
|
|||
|
||||
RewriteEngine On
|
||||
|
||||
# Uncomment these two lines to force SSL redirect
|
||||
# Uncomment these two lines to force SSL redirect in Apache
|
||||
# RewriteCond %{HTTPS} off
|
||||
# RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
|
||||
|
||||
|
||||
|
||||
# Redirect Trailing Slashes If Not A Folder...
|
||||
RewriteCond %{REQUEST_FILENAME} !-d
|
||||
RewriteRule ^(.*)/$ /$1 [L,R=301]
|
||||
|
@ -21,4 +23,11 @@
|
|||
# Handle Authorization Header
|
||||
RewriteCond %{HTTP:Authorization} .
|
||||
RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
|
||||
|
||||
# Security Headers
|
||||
Header set Strict-Transport-Security "max-age=2592000" env=HTTPS
|
||||
Header set X-XSS-Protection "1; mode=block"
|
||||
Header set X-Content-Type-Options nosniff
|
||||
Header set X-Permitted-Cross-Domain-Policies "master-only"
|
||||
|
||||
</IfModule>
|
||||
|
|
|
@ -94,7 +94,7 @@
|
|||
@section('moar_scripts')
|
||||
|
||||
<script src="{{ asset('js/signature_pad.min.js') }}"></script>
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
var wrapper = document.getElementById("signature-pad"),
|
||||
clearButton = wrapper.querySelector("[data-action=clear]"),
|
||||
saveButton = wrapper.querySelector("[data-action=save]"),
|
||||
|
|
|
@ -16,9 +16,9 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
new Vue({
|
||||
el: "#app",
|
||||
});
|
||||
</script>
|
||||
@endsection
|
||||
@endsection
|
||||
|
|
|
@ -149,7 +149,7 @@
|
|||
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
$( "a[name='Request']").click(function(event) {
|
||||
// event.preventDefault();
|
||||
|
|
|
@ -58,7 +58,7 @@
|
|||
|
||||
@section('moar_scripts')
|
||||
@include ('partials.bootstrap-table', ['exportFile' => 'maintenances-export', 'search' => true])
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
function maintenanceActions(value, row) {
|
||||
var actions = '<nobr>';
|
||||
if ((row) && (row.available_actions.update === true)) {
|
||||
|
|
|
@ -134,7 +134,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(document).ready(function(){
|
||||
|
||||
// Only display the custom format field if it's a custom format validation type
|
||||
|
|
|
@ -82,7 +82,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
var fixHelperModified = function(e, tr) {
|
||||
var $originals = tr.children();
|
||||
var $helper = tr.clone();
|
||||
|
|
|
@ -253,7 +253,7 @@
|
|||
@endif
|
||||
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -108,7 +108,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function() {
|
||||
$('#assigned_to').on("change",function () {
|
||||
// console.warn("Model Id has changed!");
|
||||
|
|
|
@ -154,7 +154,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function() {
|
||||
$('#assigned_user').on("change",function () {
|
||||
var userid = $('#assigned_user option:selected').val();
|
||||
|
|
|
@ -160,7 +160,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
|
||||
|
||||
|
|
|
@ -190,7 +190,7 @@
|
|||
@endif
|
||||
|
||||
</div></div></div>
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(document).ready(function(){
|
||||
|
||||
$('#generate-password').pGenerator({
|
||||
|
|
|
@ -125,7 +125,7 @@
|
|||
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
$("#audit-form").submit(function (event) {
|
||||
$('#audited-div').show();
|
||||
|
|
|
@ -703,7 +703,7 @@
|
|||
@section('moar_scripts')
|
||||
@include ('partials.bootstrap-table', ['simple_view' => true])
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(document).delegate('*[data-toggle="lightbox"]', 'click', function(event) {
|
||||
event.preventDefault();
|
||||
$(this).ekkoLightbox();
|
||||
|
|
|
@ -83,7 +83,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
new Vue({
|
||||
el: '#app'
|
||||
});
|
||||
|
|
|
@ -27,13 +27,13 @@
|
|||
|
||||
<meta name="csrf-token" content="{{ csrf_token() }}">
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
window.Laravel = { csrfToken: '{{ csrf_token() }}' };
|
||||
</script>
|
||||
|
||||
|
||||
|
||||
<style>
|
||||
<style nonce="{{ csrf_token() }}">
|
||||
@if ($snipeSettings)
|
||||
@if ($snipeSettings->header_color)
|
||||
.main-header .navbar, .main-header .logo {
|
||||
|
@ -70,7 +70,7 @@
|
|||
|
||||
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
window.snipeit = {
|
||||
settings: {
|
||||
"per_page": {{ $snipeSettings->per_page }}
|
||||
|
@ -662,7 +662,7 @@
|
|||
|
||||
|
||||
<script src="{{ url(mix('js/dist/all.js')) }}"></script>
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function () {
|
||||
var datepicker = $.fn.datepicker.noConflict(); // return $.fn.datepicker to previously assigned value
|
||||
$.fn.bootstrapDP = datepicker;
|
||||
|
@ -677,14 +677,14 @@
|
|||
@section('moar_scripts')
|
||||
@show
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function () {
|
||||
$('[data-toggle="tooltip"]').tooltip();
|
||||
})
|
||||
</script>
|
||||
|
||||
@if ((Session::get('topsearch')=='true') || (Request::is('/')))
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$("#tagSearch").focus();
|
||||
</script>
|
||||
@endif
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
window.snipeit = {
|
||||
settings: {
|
||||
"per_page": 20
|
||||
|
@ -120,7 +120,7 @@
|
|||
</div>
|
||||
<script src="{{ url(mix('js/dist/all.js')) }}"></script>
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function () {
|
||||
$(".select2").select2();
|
||||
});
|
||||
|
|
|
@ -62,7 +62,7 @@
|
|||
|
||||
@if (!$item->id)
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
var $eventSelect = $(".parent");
|
||||
$eventSelect.on("change", function () { parent_details($eventSelect.val()); });
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
|
||||
<script src="/js/pGenerator.jquery.js"></script>
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(document).ready(function () {
|
||||
|
||||
$('#genPassword').pGenerator({
|
||||
|
|
|
@ -13,7 +13,7 @@
|
|||
<script src="{{ asset('js/extensions/toolbar/bootstrap-table-toolbar.js') }}"></script>
|
||||
@endif
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$('.snipe-table').bootstrapTable({
|
||||
classes: 'table table-responsive table-no-bordered',
|
||||
undefinedText: '',
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
new Vue({
|
||||
el: "#app",
|
||||
});
|
||||
|
|
|
@ -146,7 +146,7 @@
|
|||
|
||||
@section('moar_scripts')
|
||||
<!-- bootstrap color picker -->
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
//color picker with addon
|
||||
$(".header-color").colorpicker();
|
||||
// toggle the disabled state of asset id prefix
|
||||
|
|
|
@ -199,7 +199,7 @@
|
|||
|
||||
@section('moar_scripts')
|
||||
<!-- bootstrap color picker -->
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
//color picker with addon
|
||||
$(".header-color").colorpicker();
|
||||
// toggle the disabled state of asset id prefix
|
||||
|
|
|
@ -372,7 +372,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$("#ldaptest").click(function(){
|
||||
$("#ldaptestrow").removeClass('success');
|
||||
$("#ldaptestrow").removeClass('danger');
|
||||
|
|
|
@ -57,7 +57,7 @@
|
|||
|
||||
@section('moar_scripts')
|
||||
<!-- bootstrap color picker -->
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
//color picker with addon
|
||||
$(".color").colorpicker();
|
||||
</script>
|
||||
|
|
|
@ -54,7 +54,7 @@
|
|||
@section('moar_scripts')
|
||||
@include ('partials.bootstrap-table', ['exportFile' => 'statuslabels-export', 'search' => true])
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
function colorSqFormatter(value, row) {
|
||||
if (value) {
|
||||
return '<span class="label" style="background-color: ' + value + ';"> </span> ' + value;
|
||||
|
|
|
@ -553,7 +553,7 @@
|
|||
@stop
|
||||
|
||||
@section('moar_scripts')
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(document).ready(function() {
|
||||
|
||||
$('#email').on('keyup',function(){
|
||||
|
@ -570,7 +570,7 @@ $(document).ready(function() {
|
|||
});
|
||||
</script>
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$('tr.header-row input:radio').click(function() {
|
||||
value = $(this).attr('value');
|
||||
$(this).parent().parent().siblings().each(function() {
|
||||
|
@ -585,7 +585,7 @@ $('.header-name').click(function() {
|
|||
|
||||
<script src="{{ asset('js/pGenerator.jquery.js') }}"></script>
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
|
||||
$(document).ready(function(){
|
||||
|
|
|
@ -86,7 +86,7 @@
|
|||
'columns' => \App\Presenters\UserPresenter::dataTableLayout()
|
||||
])
|
||||
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
|
||||
function groupsFormatter(value) {
|
||||
|
||||
|
|
|
@ -491,7 +491,7 @@
|
|||
|
||||
@section('moar_scripts')
|
||||
@include ('partials.bootstrap-table', ['simple_view' => true])
|
||||
<script>
|
||||
<script nonce="{{ csrf_token() }}">
|
||||
$(function () {
|
||||
//binds to onchange event of your input field
|
||||
var uploadedFileSize = 0;
|
||||
|
|
Loading…
Reference in a new issue