From b1fa6f596f8424993f02fcad55d32bd58bf67bc0 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Thu, 21 Dec 2023 13:01:09 +0100 Subject: [PATCH] Add experimental security option MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN --- htdocs/admin/security.php | 2 +- htdocs/admin/system/security.php | 6 ++++++ htdocs/main.inc.php | 9 ++++++++- htdocs/master.inc.php | 2 +- 4 files changed, 16 insertions(+), 3 deletions(-) diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index 23f7a6d0aca..42945587fee 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -20,7 +20,7 @@ /** * \file htdocs/admin/security.php * \ingroup setup - * \brief Page de configuration du module securite + * \brief Page of setup of security */ // Load Dolibarr environment diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index 7ad70c385b5..f6c53f9ae2d 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -740,6 +740,11 @@ print '
'; print 'MAIN_SECURITY_FORCERP = '.getDolGlobalString('MAIN_SECURITY_FORCERP', ''.$langs->trans("Undefined").'').'   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or")." \"same-origin\" so browser doesn't send any referrer when going into another web site domain)
"; print '
'; +print 'MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN = '.getDolGlobalString('MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN', ''.$langs->trans("Undefined").'').'   ('.$langs->trans("Recommended").": 1)
"; +print '
'; + +// For websites + print 'WEBSITE_MAIN_SECURITY_FORCECSPRO = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSPRO', ''.$langs->trans("Undefined").''); print '   ('.$langs->trans("Example").": \"frame-ancestors 'self'; default-src 'self' 'unsafe-inline'; style-src https://cdnjs.cloudflare.com *.googleapis.com; script-src *.transifex.com *.google-analytics.com *.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src * data:;\")
"; print '
'; @@ -757,6 +762,7 @@ print '
'; print 'WEBSITE_MAIN_SECURITY_FORCEPP = '.getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP', ''.$langs->trans("Undefined").'').'   ('.$langs->trans("Example").": \"camera: (); microphone: ();\")
"; print '
'; + print ''; diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 614b222baf6..6bf70b996fe 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -1543,11 +1543,18 @@ function top_httphead($contenttype = 'text/html', $forcenocache = 0) // X-Frame-Options if (!defined('XFRAMEOPTIONS_ALLOWALL')) { - header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks) + header("X-Frame-Options: SAMEORIGIN"); // By default, frames allowed only if on same domain (stop some XSS attacks) } else { header("X-Frame-Options: ALLOWALL"); } + if (getDolGlobalString('MAIN_SECURITY_FORCE_ACCESS_CONTROL_ALLOW_ORIGIN')) { + $tmpurl = constant('DOL_MAIN_URL_ROOT'); + $tmpurl = preg_replace('/^(https?:\/\/[^\/]+)\/.*$/', '\1', $tmpurl); + header('Access-Control-Allow-Origin: '.$tmpurl); + header('Vary: Origin'); + } + // X-XSS-Protection //header("X-XSS-Protection: 1"); // XSS filtering protection of some browsers (note: use of Content-Security-Policy is more efficient). Disabled as deprecated. diff --git a/htdocs/master.inc.php b/htdocs/master.inc.php index 9a07285c7f1..e5ff0cc237f 100644 --- a/htdocs/master.inc.php +++ b/htdocs/master.inc.php @@ -82,7 +82,7 @@ $conf->file->main_authentication = empty($dolibarr_main_authentication) ? 'dolib $conf->file->main_force_https = empty($dolibarr_main_force_https) ? '' : $dolibarr_main_force_https; // Force https $conf->file->strict_mode = empty($dolibarr_strict_mode) ? '' : $dolibarr_strict_mode; // Force php strict mode (for debug) $conf->file->instance_unique_id = empty($dolibarr_main_instance_unique_id) ? (empty($dolibarr_main_cookie_cryptkey) ? '' : $dolibarr_main_cookie_cryptkey) : $dolibarr_main_instance_unique_id; // Unique id of instance -$conf->file->dol_main_url_root = $dolibarr_main_url_root; +$conf->file->dol_main_url_root = $dolibarr_main_url_root; // Define url inside the config file $conf->file->dol_document_root = array('main' => (string) DOL_DOCUMENT_ROOT); // Define array of document root directories ('/home/htdocs') $conf->file->dol_url_root = array('main' => (string) DOL_URL_ROOT); // Define array of url root path ('' or '/dolibarr') if (!empty($dolibarr_main_document_root_alt)) {