[PATCH] prevent loading resources from external sites

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

* [PATCH] prevent loading resources from external sites
@ 2017-12-03 19:34 Peter Müller
  0 siblings, 0 replies; only message in thread
From: Peter Müller @ 2017-12-03 19:34 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2301 bytes --]

Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller(a)link38.eu>
---
 config/httpd/vhosts.d/captive.conf              | 2 ++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
 config/httpd/vhosts.d/ipfire-interface.conf     | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e4e1d78f1..2640654fd 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -9,6 +9,8 @@ Listen 1013
 	# code was entered.
 	KeepAlive Off
 
+	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
 
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dacf6a005..e7eb6c041 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -18,6 +18,8 @@
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index be15cd041..abc36a61a 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -6,6 +6,8 @@
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
 
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-- 
2.13.6



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2017-12-03 19:34 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-12-03 19:34 [PATCH] prevent loading resources from external sites Peter Müller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox