[PATCH] prevent loading resources from external sites - Development

3 Dec 2017

Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.
This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.
Signed-off-by: Peter Müller peter.mueller@link38.eu
---
 config/httpd/vhosts.d/captive.conf              | 2 ++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
 config/httpd/vhosts.d/ipfire-interface.conf     | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e4e1d78f1..2640654fd 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -9,6 +9,8 @@ Listen 1013
    # code was entered.
    KeepAlive Off
+	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
    ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
    Alias /assets/ /srv/web/ipfire/html/captive/assets/
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dacf6a005..e7eb6c041 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -18,6 +18,8 @@
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index be15cd041..abc36a61a 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -6,6 +6,8 @@
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-- 
2.13.6



    