Mirrors/dolibarr
1
0
Fork 0
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-02-20 13:46:52 +01:00
Code Issues Packages Projects Releases Wiki Activity

New add website security constant for CSPRO

Browse Source
This commit is contained in:
Hystepik 2025-02-14 11:13:39 +01:00
parent d7205f3404
commit 1696e4d154
3 changed files with 18 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
htdocs/core/website.inc.php
View File

@ -134,7 +134,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
//header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated.
// Content-Security-Policy-Report-Only
if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) {
if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCECSPRO')) {
// A default security policy that keep usage of js external component like ckeditor, stripe, google, working
// For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
// default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
@ -145,7 +145,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) {
//
// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
$contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO');
$contentsecuritypolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCECSPRO');
if (!is_object($hookmanager)) {
include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';

1
htdocs/langs/en_US/website.lang
View File

@ -372,6 +372,7 @@ ContentSecurityPolicy=Content Security Policy
WebsiteSecurityForceRP=Website Security RP
WebsiteSecurityForceSTS=Website Security STS
WebsiteSecurityForcePP=Website Security PP
WebsiteSecurityForceCSPRO=Content Security Policy Report-Only
SecurityPolicySucesfullyRemoved=Content Security Policy successfully removed
ErrorRemovingSecurityPolicy=An error occurred when trying to remove a Content Security Policy
SecurityPolicySucesfullyAdded=Content Security Policy successfully added

21
htdocs/website/index.php
View File

@ -2025,13 +2025,15 @@ if ($action == "updatesecurity" && $usercanedit) {
$securitysts = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCESTS', 'alpha');
$securitypp = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCEPP', 'alpha');
$securitysp = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCECSP', 'alpha');
$securitycspro = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO', 'alpha');
$res1 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCERP', $securityrp, 'chaine', 0, '', $conf->entity);
$res2 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCESTS', $securitysts, 'chaine', 0, '', $conf->entity);
$res3 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCEPP', $securitypp, 'chaine', 0, '', $conf->entity);
$res4 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCECSP', $securitysp, 'chaine', 0, '', $conf->entity);
$res5 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO', $securitycspro, 'chaine', 0, '', $conf->entity);
if ($res1 >= 0 && $res2 >= 0 && $res3 >= 0 && $res4 >= 0 ) {
if ($res1 >= 0 && $res2 >= 0 && $res3 >= 0 && $res4 >= 0 && $res >= 0) {
$db->commit();
setEventMessages($langs->trans("Saved"), null, 'mesgs');
} else {
@ -4368,7 +4370,7 @@ if ($action == 'editsecurity') {
print '<br>';
$head = websiteconfigPrepareHead($object);
print dol_get_fiche_head($head, 'security', $langs->trans("General"), 0, 'website');
print dol_get_fiche_head($head, 'security', $langs->trans("General"), -1, 'website');
print '<div class="div-table-responsive-no-min">';
print '<table class="noborder centpercent">';
@ -4379,26 +4381,33 @@ if ($action == 'editsecurity') {
// Force RP
print '<tr class="oddeven">';
print '<td>'.$langs->trans('WebsiteSecurityForceRP').'</td>';
print '<td>'.$form->textwithpicto($langs->trans('WebsiteSecurityForceRP'), $langs->trans("Recommended").': "strict-origin-when-cross-origin" '.$langs->trans("or").' "same-origin"=more secured"').'</td>';
print '<td><input class="minwidth500" name="WEBSITE_'.$object->id.'_SECURITY_FORCERP" id="WEBSITE_'.$object->id.'_SECURITY_FORCERP" value="'.getDolGlobalString("WEBSITE_".$object->id."_SECURITY_FORCERP").'"></td>';
print '</tr>';
// Force STS
print '<tr class="oddeven">';
print '<td>'.$langs->trans('WebsiteSecurityForceSTS').'</td>';
print '<td>'.$form->textwithpicto($langs->trans('WebsiteSecurityForceSTS'), $langs->trans("Example").': "max-age=31536000; includeSubDomains"').'</td>';
print '<td><input class="minwidth500" name="WEBSITE_'.$object->id.'_SECURITY_FORCESTS" id="WEBSITE_'.$object->id.'_SECURITY_FORCESTS" value="'.getDolGlobalString("WEBSITE_".$object->id."_SECURITY_FORCESTS").'"></td>';
print '</tr>';
// Force PP
print '<tr class="oddeven">';
print '<td>'.$langs->trans('WebsiteSecurityForcePP').'</td>';
print '<td>'.$form->textwithpicto($langs->trans('WebsiteSecurityForcePP'), $langs->trans("Example").': "camera=(), microphone=(), geolocation=*"').'</td>';
print '<td><input class="minwidth500" name="WEBSITE_'.$object->id.'_SECURITY_FORCEPP" id="WEBSITE_'.$object->id.'_SECURITY_FORCEPP" value="'.getDolGlobalString("WEBSITE_".$object->id."_SECURITY_FORCEPP").'"></td>';
print '</tr>';
$examplecsprule = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
// Force CSPRO
print '<tr class="oddeven">';
print '<td>'.$form->textwithpicto($langs->trans('WebsiteSecurityForceCSPRO'), $langs->trans("Exemple").": ".$examplecsprule).'</td>';
print '<td><input class="minwidth500" name="WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO" id="WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO" value="'.getDolGlobalString("WEBSITE_".$object->id."_SECURITY_FORCECSPRO").'"></td>';
print '</tr>';
print '</table>';
print '</div>';
// Content Security Policy
print '<div class="div-table-responsive-no-min">';
print '<table class="centpercent">';
print '<tr><td>'.$langs->trans("ContentSecurityPolicy").'</td></tr>';
print '<tr><td>'.$form->textwithpicto($langs->trans('ContentSecurityPolicy'), $langs->trans("Exemple").": ".$examplecsprule).'</td></tr>';
print '<tr><td>'.$langs->trans("Value").':</span></td><td colspan=2><input style="width:90%;" class="minwidth500" name="WEBSITE_'.$object->id.'_SECURITY_FORCECSP" id="WEBSITE_'.$object->id.'_SECURITY_FORCECSP" value="'.$forceCSP.'"></td></tr>';
print '<tr><td></td></tr>';