diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php index a35725520b8..447290b909a 100644 --- a/htdocs/core/website.inc.php +++ b/htdocs/core/website.inc.php @@ -134,7 +134,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) { //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated. // Content-Security-Policy-Report-Only - if (!defined('WEBSITE_MAIN_SECURITY_FORCECSPRO')) { + if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCECSPRO')) { // A default security policy that keep usage of js external component like ckeditor, stripe, google, working // For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube) // default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *; @@ -145,7 +145,7 @@ if (!defined('USEDOLIBARRSERVER') && !defined('USEDOLIBARREDITOR')) { // // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;"; // $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';"; - $contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO'); + $contentsecuritypolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCECSPRO'); if (!is_object($hookmanager)) { include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php'; diff --git a/htdocs/langs/en_US/website.lang b/htdocs/langs/en_US/website.lang index 37dfb23573e..076c849af79 100644 --- a/htdocs/langs/en_US/website.lang +++ b/htdocs/langs/en_US/website.lang @@ -372,6 +372,7 @@ ContentSecurityPolicy=Content Security Policy WebsiteSecurityForceRP=Website Security RP WebsiteSecurityForceSTS=Website Security STS WebsiteSecurityForcePP=Website Security PP +WebsiteSecurityForceCSPRO=Content Security Policy Report-Only SecurityPolicySucesfullyRemoved=Content Security Policy successfully removed ErrorRemovingSecurityPolicy=An error occurred when trying to remove a Content Security Policy SecurityPolicySucesfullyAdded=Content Security Policy successfully added diff --git a/htdocs/website/index.php b/htdocs/website/index.php index e9bb42703cc..d2421d17e95 100644 --- a/htdocs/website/index.php +++ b/htdocs/website/index.php @@ -2025,13 +2025,15 @@ if ($action == "updatesecurity" && $usercanedit) { $securitysts = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCESTS', 'alpha'); $securitypp = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCEPP', 'alpha'); $securitysp = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCECSP', 'alpha'); + $securitycspro = GETPOST('WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO', 'alpha'); $res1 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCERP', $securityrp, 'chaine', 0, '', $conf->entity); $res2 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCESTS', $securitysts, 'chaine', 0, '', $conf->entity); $res3 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCEPP', $securitypp, 'chaine', 0, '', $conf->entity); $res4 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCECSP', $securitysp, 'chaine', 0, '', $conf->entity); + $res5 = dolibarr_set_const($db, 'WEBSITE_'.$object->id.'_SECURITY_FORCECSPRO', $securitycspro, 'chaine', 0, '', $conf->entity); - if ($res1 >= 0 && $res2 >= 0 && $res3 >= 0 && $res4 >= 0 ) { + if ($res1 >= 0 && $res2 >= 0 && $res3 >= 0 && $res4 >= 0 && $res >= 0) { $db->commit(); setEventMessages($langs->trans("Saved"), null, 'mesgs'); } else { @@ -4368,7 +4370,7 @@ if ($action == 'editsecurity') { print '
'; $head = websiteconfigPrepareHead($object); - print dol_get_fiche_head($head, 'security', $langs->trans("General"), 0, 'website'); + print dol_get_fiche_head($head, 'security', $langs->trans("General"), -1, 'website'); print '
'; print ''; @@ -4379,26 +4381,33 @@ if ($action == 'editsecurity') { // Force RP print ''; - print ''; + print ''; print ''; print ''; // Force STS print ''; - print ''; + print ''; print ''; print ''; // Force PP print ''; - print ''; + print ''; print ''; print ''; + + $examplecsprule = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;"; + // Force CSPRO + print ''; + print ''; + print ''; + print ''; print '
'.$langs->trans('WebsiteSecurityForceRP').''.$form->textwithpicto($langs->trans('WebsiteSecurityForceRP'), $langs->trans("Recommended").': "strict-origin-when-cross-origin" '.$langs->trans("or").' "same-origin"=more secured"').'id."_SECURITY_FORCERP").'">
'.$langs->trans('WebsiteSecurityForceSTS').''.$form->textwithpicto($langs->trans('WebsiteSecurityForceSTS'), $langs->trans("Example").': "max-age=31536000; includeSubDomains"').'id."_SECURITY_FORCESTS").'">
'.$langs->trans('WebsiteSecurityForcePP').''.$form->textwithpicto($langs->trans('WebsiteSecurityForcePP'), $langs->trans("Example").': "camera=(), microphone=(), geolocation=*"').'id."_SECURITY_FORCEPP").'">
'.$form->textwithpicto($langs->trans('WebsiteSecurityForceCSPRO'), $langs->trans("Exemple").": ".$examplecsprule).'id."_SECURITY_FORCECSPRO").'">
'; print '
'; // Content Security Policy print '
'; print ''; - print ''; + print ''; print ''; print '';
'.$langs->trans("ContentSecurityPolicy").'
'.$form->textwithpicto($langs->trans('ContentSecurityPolicy'), $langs->trans("Exemple").": ".$examplecsprule).'
'.$langs->trans("Value").':