Commit 84bb810a authored by Emma's avatar Emma 🏳🌈

add Content-Security-Policy, other security stuff

parent d06708a6
Pipeline #57904477 passed with stage
in 53 seconds
This diff is collapsed.
......@@ -24,4 +24,5 @@ return [
EightPoints\Bundle\GuzzleBundle\EightPointsGuzzleBundle::class => ['all' => true],
Symfony\Bundle\MakerBundle\MakerBundle::class => ['dev' => true],
Symfony\WebpackEncoreBundle\WebpackEncoreBundle::class => ['all' => true],
Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true],
];
nelmio_security:
# prevents framing of the entire site
clickjacking:
paths:
'^/.*': DENY
# disables content type sniffing for script resources
content_type:
nosniff: true
# Send a full URL in the `Referer` header when performing a same-origin
# request, and send no header to other destinations.
referrer_policy:
enabled: true
policies:
- 'same-origin'
csp:
enabled: true
enforce:
default-src:
- self
img-src:
- self
- 'data:'
external_redirects:
abort: true
......@@ -176,6 +176,18 @@
"monolog/monolog": {
"version": "1.23.0"
},
"nelmio/security-bundle": {
"version": "2.4",
"recipe": {
"repo": "github.com/symfony/recipes",
"branch": "master",
"version": "2.4",
"ref": "65726efb67ff51d89de38195bc0d230fa811f64d"
},
"files": [
"config/packages/nelmio_security.yaml"
]
},
"nikic/php-parser": {
"version": "v4.0.1"
},
......@@ -452,15 +464,6 @@
"symfony/security-core": {
"version": "v4.2.2"
},
"symfony/security-csrf": {
"version": "v4.2.2"
},
"symfony/security-guard": {
"version": "v4.2.2"
},
"symfony/security-http": {
"version": "v4.2.2"
},
"symfony/serializer": {
"version": "v4.0.3"
},
......@@ -565,6 +568,9 @@
"twig/twig": {
"version": "v2.4.4"
},
"ua-parser/uap-php": {
"version": "v3.8.8"
},
"webmozart/assert": {
"version": "1.2.0"
},
......
......@@ -25,7 +25,7 @@
{% endblock form_widget_simple %}
{%- block honeypot_row -%}
<div style="display: none">
<div hidden>
{{- form_widget(form) -}}
</div>
{%- endblock honeypot_row -%}
......@@ -180,15 +180,19 @@
{%- if not reload -%}
<img src="{{ captcha_code }}" alt="" title="captcha" width="{{ captcha_width }}" height="{{ captcha_height }}">
{%- else -%}
<a class="captcha_reload" href="javascript:reload_{{ image_id }}();">
<img src="{{ captcha_code }}" alt="" id="{{ image_id }}" title="{{ 'Renew'|trans({}, 'gregwar_captcha') }}" width="{{ captcha_width }}" height="{{ captcha_height }}">
<a class="captcha_reload" href="#" id="reload_{{ image_id }}">
<img src="{{ captcha_code }}" alt="" title="{{ 'Renew'|trans({}, 'gregwar_captcha') }}" width="{{ captcha_width }}" height="{{ captcha_height }}">
</a>
<script type="text/javascript">
function reload_{{ image_id }}() {
var img = document.getElementById('{{ image_id }}');
img.src = '{{ captcha_code }}?n=' + (new Date()).getTime();
}
</script>
{% cspscript %}
<script>
(function (linkId) {
document.getElementById(linkId).addEventListener('click', function () {
var img = this.getElementsByTagName('img')[0];
img.src = '{{ captcha_code|e('js') }}?n=' + (new Date()).getTime();
});
})('reload_{{ image_id|e('js') }}');
</script>
{% endcspscript %}
{%- endif -%}
</div>
{{- form_widget(form) -}}
......@@ -215,11 +219,6 @@
{{- form_rest(form) -}}
{% endblock form_widget_compound %}
{% block honeypot_widget %}
{%- set attr = attr|merge({'style': 'display: none'}) -%}
{{- block('form_widget') -}}
{% endblock honeypot_widget %}
{# repeated form type #}
{% block repeated_errors %}
......
......@@ -10,6 +10,9 @@
{%- set font_family = font_family~' "'~(name|e('css'))~'",' %}
{%- endfor %}
{%- endfor %}
<style>:root { --font-family: {{ font_family|trim(' ,')|raw }} }</style>
{% cspstyle %}
<style>:root { --font-family: {{ font_family|trim(' ,')|raw }} }</style>
{% endcspstyle %}
{{ encore_entry_link_tags('core') }}
......@@ -16,9 +16,11 @@
{% block javascripts %}
{{ parent() }}
<script>
$('.delete-forum').click(function () {
return confirm(Translator.trans('forum_form.confirm_delete'));
});
</script>
{% cspscript %}
<script>
$('.delete-forum').click(function () {
return confirm(Translator.trans('forum_form.confirm_delete'));
});
</script>
{% endcspscript %}
{% endblock %}
......@@ -12,9 +12,11 @@
{% block javascripts %}
{{ parent() }}
<script>
$('.delete-submission-button').click(function () {
return confirm(Translator.trans('submission_form.confirm_delete'));
});
</script>
{% cspscript %}
<script>
$('.delete-submission-button').click(function () {
return confirm(Translator.trans('submission_form.confirm_delete'));
});
</script>
{% endcspscript %}
{% endblock %}
......@@ -36,7 +36,8 @@
{% include '_includes/empty.html.twig' %}
{% endif %}
<script class="js-update-comment-count"
data-comment-count="{{ submission.comments|length }}"
data-submission-id="{{ submission.id }}"></script>
<div class="js-update-comment-count"
data-comment-count="{{ submission.comments|length }}"
data-submission-id="{{ submission.id }}"
hidden></div>
{% endblock %}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment