From patchwork Mon Dec  4 06:34:02 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Peter_M=C3=BCller?= <peter.mueller@link38.eu>
X-Patchwork-Id: 1576
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (unknown [172.28.1.200])
	by web02.ipfire.org (Postfix) with ESMTP id 3D33160C75
	for <patchwork@ipfire.org>; Sun,  3 Dec 2017 20:34:16 +0100 (CET)
Received: from mail01.ipfire.org (localhost [IPv6:::1])
	by mail01.ipfire.org (Postfix) with ESMTP id 6CE8925A0;
	Sun,  3 Dec 2017 20:34:15 +0100 (CET)
Received: from mx.link38.eu (mx.link38.eu [188.68.43.123])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client CN "mx.link38.eu",
	Issuer "Let's Encrypt Authority X3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4EF342172
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 20:34:11 +0100 (CET)
X-Virus-Scanned: ClamAV at mx.link38.eu
Received: from mx-fra.brokers.link38.eu (mx-fra.brokers.link38.eu
	[10.141.75.13])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx.link38.eu (Postfix) with ESMTPS id D68B34016F
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 20:34:03 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	(using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256
	bits)) (Client did not present a certificate)
	by mx-fra.brokers.link38.eu (Postfix) with ESMTPSA id 570129F1A4
	for <development@lists.ipfire.org>;
	Sun,  3 Dec 2017 20:34:03 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=link38.eu; s=201711;
	t=1512329643; x=1575401643;
	bh=sHB66Th0keI/pmcOU8uGvgcxX1Wm5dpl+55N4J8MFt4=;
	h=Date:From:To:Subject:Message-ID:Content-Type:From:To:Subject:Date:
	Cc;
	b=KEArGi2sS1y1+HtcxjiVGqWkeuS7Q9zbQkujly4ZZrEsPTmoc5L5QfscceZpP5+NA
	Jp33fvoeDmTR5aM1J5J9AxjJMZxn+h84G/dKv+CQ+A1LLRSJ+E8a+uzDZnVgfGcDXP
	VBvQvxpenZyBu0ggZ8ik1VM1K3QUTIjxPIuH4c9bqGJ7iSKapmYrlcK0W3aThiWYbd
	Vj+SsNL7y22/Nl7mLwVJ7MOpl1pxqYQKnUy59cwvINgbc+n5tq+Z0mmeHY5fj1mpun
	HSHHx3JCF5obQ2SlPkUX33YgGqCm1FBzQ+imIg12zzumtl6QqukV2kHWLnNzSIjZA5
	fyulz+EFGqS4g==
Date: Sun, 3 Dec 2017 20:34:02 +0100
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@link38.eu>
To: "development@lists.ipfire.org" <development@lists.ipfire.org>
Subject: [PATCH] prevent loading resources from external sites
Message-ID: <20171203203402.0bbeaa78.peter.mueller@link38.eu>
Organization: Link38
MIME-Version: 1.0
X-BeenThere: development@lists.ipfire.org
X-Mailman-Version: 2.1.21
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>,
	<mailto:development-request@lists.ipfire.org?subject=unsubscribe>
List-Archive: <https://lists.ipfire.org/pipermail/development/>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>,
	<mailto:development-request@lists.ipfire.org?subject=subscribe>
Errors-To: development-bounces@lists.ipfire.org
Sender: "Development" <development-bounces@lists.ipfire.org>

Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
---
 config/httpd/vhosts.d/captive.conf              | 2 ++
 config/httpd/vhosts.d/ipfire-interface-ssl.conf | 2 ++
 config/httpd/vhosts.d/ipfire-interface.conf     | 2 ++
 3 files changed, 6 insertions(+)

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e4e1d78f1..2640654fd 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -9,6 +9,8 @@ Listen 1013
 	# code was entered.
 	KeepAlive Off
 
+	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
 
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index dacf6a005..e7eb6c041 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -18,6 +18,8 @@
     SSLCertificateFile /etc/httpd/server-ecdsa.crt
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index be15cd041..abc36a61a 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -6,6 +6,8 @@
     RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK|OPTIONS)
     RewriteRule .* - [F]
 
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
+
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None