From e4a459a6edc40b64cba7845b52f3e90666b2818a Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 16 Feb 2016 23:53:39 +0100 Subject: CSP no inline javascript draft https://github.com/FreshRSS/FreshRSS/issues/1075 --- app/FreshRSS.php | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 62 insertions(+) (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 044de9cd4..e0e82457c 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -110,6 +110,68 @@ class FreshRSS extends Minz_FrontController { } } + private static function setJavascriptCookie() { + $mark = FreshRSS_Context::$user_conf->mark_when; + $mail = Minz_Session::param('mail', false); + $s = FreshRSS_Context::$user_conf->shortcuts; + $json = json_encode(array( + 'context' => array( + 'auto_remove_article' => !!FreshRSS_Context::isAutoRemoveAvailable(), + 'hide_posts' => !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'), + 'display_order' => Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), + 'auto_mark_article' => !!$mark['article'], + 'auto_mark_site' => !!$mark['site'], + 'auto_mark_scroll' => !!$mark['scroll'], + 'auto_load_more' => !!FreshRSS_Context::$user_conf->auto_load_more, + 'auto_actualize_feeds' => !!Minz_Session::param('actualize_feeds', false), + 'does_lazyload' => !!FreshRSS_Context::$user_conf->lazyload , + 'sticky_post' => !!FreshRSS_Context::isStickyPostEnabled(), + 'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout, + 'auth_type' => FreshRSS_Context::$system_conf->auth_type, + 'current_user_mail' => $mail ? ('"' . $mail . '"') : null, + 'current_view' => Minz_Request::actionName(), + ), + 'shortcuts' => array( + 'mark_read' => @$s['mark_read'], + 'mark_favorite' => @$s['mark_favorite'], + 'go_website' => @$s['go_website'], + 'prev_entry' => @$s['prev_entry'], + 'next_entry' => @$s['next_entry'], + 'first_entry' => @$s['first_entry'], + 'last_entry' => @$s['last_entry'], + 'collapse_entry' => @$s['collapse_entry'], + 'load_more' => @$s['load_more'], + 'auto_share' => @$s['auto_share'], + 'focus_search' => @$s['focus_search'], + 'user_filter' => @$s['user_filter'], + 'help' => @$s['help'], + 'close_dropdown' => @$s['close_dropdown'], + ), + 'url' => array( + 'index' => _url('index', 'index'), + 'login' => Minz_Url::display(array('c' => 'auth', 'a' => 'login'), 'php'), + 'logout' => Minz_Url::display(array('c' => 'auth', 'a' => 'logout'), 'php'), + 'help' => FRESHRSS_WIKI, + ), + 'i18n' => array( + 'confirmation_default' => _t('gen.js.confirm_action'), + 'notif_title_articles' => _t('gen.js.feedback.title_new_articles'), + 'notif_body_articles' => _t('gen.js.feedback.body_new_articles'), + 'notif_request_failed' => _t('gen.js.feedback.request_failed'), + 'category_empty' => _t('gen.js.category_empty'), + ), + 'icons' => array( + 'close' => _i('close'), + ), + ), JSON_UNESCAPED_UNICODE); + setrawcookie('FreshRSS-vars', rawurlencode($json), 0, Minz_Session::getCookieDir()); + } + + public static function preLayout() { + header("Content-Security-Policy: default-src 'self'; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); + self::setJavascriptCookie(); + } + private function loadNotifications() { $notif = Minz_Session::param('notification'); if ($notif) { -- cgit v1.2.3 From 8cdf44c87b7490ebc4cbdf4f2c50dd2a3bdd520d Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Wed, 17 Feb 2016 01:17:56 +0100 Subject: CSP allow iframes E.g. for YouTube videos, etc. https://github.com/FreshRSS/FreshRSS/issues/1075 --- app/FreshRSS.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index e0e82457c..8eb862aeb 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -168,7 +168,7 @@ class FreshRSS extends Minz_FrontController { } public static function preLayout() { - header("Content-Security-Policy: default-src 'self'; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); + header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); self::setJavascriptCookie(); } -- cgit v1.2.3 From e3dc7d46e15d97f8bd008acf3489d5e6c22b8daa Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 21 Feb 2016 14:23:24 +0100 Subject: CSP: Use inline JSON instead of one-time cookie Simpler, lighter https://github.com/FreshRSS/FreshRSS/issues/1075 --- app/FreshRSS.php | 58 --------------------------------- app/layout/layout.phtml | 3 ++ app/views/helpers/javascript_vars.phtml | 54 ++++++++++++++++++++++++++++++ p/scripts/main.js | 10 +++--- 4 files changed, 62 insertions(+), 63 deletions(-) create mode 100644 app/views/helpers/javascript_vars.phtml (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 8eb862aeb..a6ed2a306 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -110,66 +110,8 @@ class FreshRSS extends Minz_FrontController { } } - private static function setJavascriptCookie() { - $mark = FreshRSS_Context::$user_conf->mark_when; - $mail = Minz_Session::param('mail', false); - $s = FreshRSS_Context::$user_conf->shortcuts; - $json = json_encode(array( - 'context' => array( - 'auto_remove_article' => !!FreshRSS_Context::isAutoRemoveAvailable(), - 'hide_posts' => !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'), - 'display_order' => Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), - 'auto_mark_article' => !!$mark['article'], - 'auto_mark_site' => !!$mark['site'], - 'auto_mark_scroll' => !!$mark['scroll'], - 'auto_load_more' => !!FreshRSS_Context::$user_conf->auto_load_more, - 'auto_actualize_feeds' => !!Minz_Session::param('actualize_feeds', false), - 'does_lazyload' => !!FreshRSS_Context::$user_conf->lazyload , - 'sticky_post' => !!FreshRSS_Context::isStickyPostEnabled(), - 'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout, - 'auth_type' => FreshRSS_Context::$system_conf->auth_type, - 'current_user_mail' => $mail ? ('"' . $mail . '"') : null, - 'current_view' => Minz_Request::actionName(), - ), - 'shortcuts' => array( - 'mark_read' => @$s['mark_read'], - 'mark_favorite' => @$s['mark_favorite'], - 'go_website' => @$s['go_website'], - 'prev_entry' => @$s['prev_entry'], - 'next_entry' => @$s['next_entry'], - 'first_entry' => @$s['first_entry'], - 'last_entry' => @$s['last_entry'], - 'collapse_entry' => @$s['collapse_entry'], - 'load_more' => @$s['load_more'], - 'auto_share' => @$s['auto_share'], - 'focus_search' => @$s['focus_search'], - 'user_filter' => @$s['user_filter'], - 'help' => @$s['help'], - 'close_dropdown' => @$s['close_dropdown'], - ), - 'url' => array( - 'index' => _url('index', 'index'), - 'login' => Minz_Url::display(array('c' => 'auth', 'a' => 'login'), 'php'), - 'logout' => Minz_Url::display(array('c' => 'auth', 'a' => 'logout'), 'php'), - 'help' => FRESHRSS_WIKI, - ), - 'i18n' => array( - 'confirmation_default' => _t('gen.js.confirm_action'), - 'notif_title_articles' => _t('gen.js.feedback.title_new_articles'), - 'notif_body_articles' => _t('gen.js.feedback.body_new_articles'), - 'notif_request_failed' => _t('gen.js.feedback.request_failed'), - 'category_empty' => _t('gen.js.category_empty'), - ), - 'icons' => array( - 'close' => _i('close'), - ), - ), JSON_UNESCAPED_UNICODE); - setrawcookie('FreshRSS-vars', rawurlencode($json), 0, Minz_Session::getCookieDir()); - } - public static function preLayout() { header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); - self::setJavascriptCookie(); } private function loadNotifications() { diff --git a/app/layout/layout.phtml b/app/layout/layout.phtml index 7d718efbd..99a3717bc 100644 --- a/app/layout/layout.phtml +++ b/app/layout/layout.phtml @@ -8,6 +8,9 @@ + mark_when; +$mail = Minz_Session::param('mail', false); +$s = FreshRSS_Context::$user_conf->shortcuts; +echo htmlspecialchars(json_encode(array( + 'context' => array( + 'auto_remove_article' => !!FreshRSS_Context::isAutoRemoveAvailable(), + 'hide_posts' => !(FreshRSS_Context::$user_conf->display_posts || Minz_Request::actionName() === 'reader'), + 'display_order' => Minz_Request::param('order', FreshRSS_Context::$user_conf->sort_order), + 'auto_mark_article' => !!$mark['article'], + 'auto_mark_site' => !!$mark['site'], + 'auto_mark_scroll' => !!$mark['scroll'], + 'auto_load_more' => !!FreshRSS_Context::$user_conf->auto_load_more, + 'auto_actualize_feeds' => !!Minz_Session::param('actualize_feeds', false), + 'does_lazyload' => !!FreshRSS_Context::$user_conf->lazyload , + 'sticky_post' => !!FreshRSS_Context::isStickyPostEnabled(), + 'html5_notif_timeout' => FreshRSS_Context::$user_conf->html5_notif_timeout, + 'auth_type' => FreshRSS_Context::$system_conf->auth_type, + 'current_user_mail' => $mail ? ('"' . $mail . '"') : null, + 'current_view' => Minz_Request::actionName(), + ), + 'shortcuts' => array( + 'mark_read' => @$s['mark_read'], + 'mark_favorite' => @$s['mark_favorite'], + 'go_website' => @$s['go_website'], + 'prev_entry' => @$s['prev_entry'], + 'next_entry' => @$s['next_entry'], + 'first_entry' => @$s['first_entry'], + 'last_entry' => @$s['last_entry'], + 'collapse_entry' => @$s['collapse_entry'], + 'load_more' => @$s['load_more'], + 'auto_share' => @$s['auto_share'], + 'focus_search' => @$s['focus_search'], + 'user_filter' => @$s['user_filter'], + 'help' => @$s['help'], + 'close_dropdown' => @$s['close_dropdown'], + ), + 'url' => array( + 'index' => _url('index', 'index'), + 'login' => Minz_Url::display(array('c' => 'auth', 'a' => 'login'), 'php'), + 'logout' => Minz_Url::display(array('c' => 'auth', 'a' => 'logout'), 'php'), + 'help' => FRESHRSS_WIKI, + ), + 'i18n' => array( + 'confirmation_default' => _t('gen.js.confirm_action'), + 'notif_title_articles' => _t('gen.js.feedback.title_new_articles'), + 'notif_body_articles' => _t('gen.js.feedback.body_new_articles'), + 'notif_request_failed' => _t('gen.js.feedback.request_failed'), + 'category_empty' => _t('gen.js.category_empty'), + ), + 'icons' => array( + 'close' => _i('close'), + ), +), JSON_UNESCAPED_UNICODE), ENT_NOQUOTES); diff --git a/p/scripts/main.js b/p/scripts/main.js index 31b07721a..f07cdafd7 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -1245,10 +1245,10 @@ function init_configuration_alert() { }); } -function parseJavaScriptCookie() { - var vars = decodeURIComponent(document.cookie.replace(/(?:(?:^|.*;\s*)FreshRSS-vars\s*\=\s*([^;]*).*$)|^.*$/, "$1")); - document.cookie = 'FreshRSS-vars=; expires=Thu, 01 Jan 1970 00:00:00 GMT'; - var json = JSON.parse(vars); +function parseJsonVars() { + var jsonVars = document.getElementById('jsonVars'), + json = JSON.parse(jsonVars.innerHTML); + jsonVars.outerHTML = ''; window.context = json.context; window.shortcuts = json.shortcuts; window.url = json.url; @@ -1264,7 +1264,7 @@ function init_all() { window.setTimeout(init_all, 50); return; } - parseJavaScriptCookie(); + parseJsonVars(); init_notifications(); init_confirm_action(); $stream = $('#stream'); -- cgit v1.2.3 From cb913a3a76daf357ad36ca39c26b4aaf800211d2 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 21 Feb 2016 19:15:23 +0100 Subject: CSP for statistics and forms https://github.com/FreshRSS/FreshRSS/issues/1075 --- CHANGELOG.md | 2 ++ app/FreshRSS.php | 6 +++++- app/layout/aside_feed.phtml | 2 +- app/layout/nav_menu.phtml | 2 +- app/views/extension/index.phtml | 2 +- app/views/feed/add.phtml | 2 +- app/views/helpers/pagination.phtml | 2 +- app/views/stats/idle.phtml | 2 +- app/views/stats/index.phtml | 10 +++++----- app/views/stats/repartition.phtml | 10 +++++----- app/views/subscription/index.phtml | 4 ++-- p/scripts/main.js | 6 +++--- p/themes/base-theme/template.css | 8 ++++++++ 13 files changed, 36 insertions(+), 22 deletions(-) (limited to 'app/FreshRSS.php') diff --git a/CHANGELOG.md b/CHANGELOG.md index 7f96839eb..7fc872040 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,8 @@ ## 2016-xx-xx FreshRSS 1.3.1-beta +* Security + * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075) * UI * Fixed several small bugs in global and reader view [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050) * Updated to jQuery 2.2 and changed code for auto-load on scroll [#1050](https://github.com/FreshRSS/FreshRSS/pull/1050) diff --git a/app/FreshRSS.php b/app/FreshRSS.php index a6ed2a306..62ea18d96 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -111,7 +111,11 @@ class FreshRSS extends Minz_FrontController { } public static function preLayout() { - header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *; style-src 'self' 'unsafe-inline'"); + if (Minz_Request::controllerName() === 'stats') { + header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); + } else { + header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *"); + } } private function loadNotifications() { diff --git a/app/layout/aside_feed.phtml b/app/layout/aside_feed.phtml index 307db6af8..4e1903a7a 100644 --- a/app/layout/aside_feed.phtml +++ b/app/layout/aside_feed.phtml @@ -19,7 +19,7 @@ - +
  • diff --git a/app/layout/nav_menu.phtml b/app/layout/nav_menu.phtml index 3a755b560..0f303beb8 100644 --- a/app/layout/nav_menu.phtml +++ b/app/layout/nav_menu.phtml @@ -79,7 +79,7 @@ ); ?> - + diff --git a/app/views/helpers/pagination.phtml b/app/views/helpers/pagination.phtml index b20201c4b..7eca8c525 100755 --- a/app/views/helpers/pagination.phtml +++ b/app/views/helpers/pagination.phtml @@ -14,7 +14,7 @@ ); ?> - +
    • diff --git a/app/views/stats/idle.phtml b/app/views/stats/idle.phtml index 22117792d..11b7df8c4 100644 --- a/app/views/stats/idle.phtml +++ b/app/views/stats/idle.phtml @@ -18,7 +18,7 @@

      - +
        diff --git a/app/views/stats/index.phtml b/app/views/stats/index.phtml index c11b88999..0a2fbdb10 100644 --- a/app/views/stats/index.phtml +++ b/app/views/stats/index.phtml @@ -66,18 +66,18 @@

        -
        +

        -
        +
        -
        +

        -
        +
        diff --git a/app/views/stats/repartition.phtml b/app/views/stats/repartition.phtml index 980b26a3d..ffb2c361e 100644 --- a/app/views/stats/repartition.phtml +++ b/app/views/stats/repartition.phtml @@ -48,17 +48,17 @@

        averageHour); ?>

        -
        +

        averageDayOfWeek); ?>

        -
        -
        +

        averageMonth); ?>

        -
        +
        diff --git a/app/views/subscription/index.phtml b/app/views/subscription/index.phtml index 2cfe3f33c..07cebf817 100644 --- a/app/views/subscription/index.phtml +++ b/app/views/subscription/index.phtml @@ -28,7 +28,7 @@ - @@ -62,7 +62,7 @@
      - + categories as $cat) { diff --git a/p/scripts/main.js b/p/scripts/main.js index cfde5fd4e..d62a6aff8 100644 --- a/p/scripts/main.js +++ b/p/scripts/main.js @@ -899,7 +899,7 @@ function refreshUnreads() { if ((incUnreadsFeed(null, feed_id, nbUnreads - feed_unreads) || isAll) && //Update of current view? (nbUnreads - feed_unreads > 0)) { - $('#new-article').show(); + $('#new-article').attr('aria-hidden', 'false').show(); new_articles = true; }; }); @@ -1122,10 +1122,10 @@ function init_feed_observers() { $('select[id="category"]').on('change', function() { var detail = $('#new_category_name').parent(); if ($(this).val() === 'nc') { - detail.show(); + detail.attr('aria-hidden', 'false').show(); detail.find('input').focus(); } else { - detail.hide(); + detail.attr('aria-hidden', 'true').hide(); } }); } diff --git a/p/themes/base-theme/template.css b/p/themes/base-theme/template.css index 17a43d3ed..8a12423be 100644 --- a/p/themes/base-theme/template.css +++ b/p/themes/base-theme/template.css @@ -110,6 +110,11 @@ td.numeric { /*=== COMPONENTS */ /*===============*/ + +[aria-hidden="true"] { + display: none; +} + /*=== Forms */ .form-group::after { content: ""; @@ -620,6 +625,9 @@ br + br + br { .stat > table { width: 100%; } +.statGraph { + height: 300px; +} /*=== GLOBAL VIEW */ /*================*/ -- cgit v1.2.3 From 38c2d671e3480b8e9fb38491797e44fdea317006 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Sun, 21 Feb 2016 21:25:23 +0100 Subject: CSP different policies per controller https://github.com/FreshRSS/FreshRSS/issues/1075 --- app/FreshRSS.php | 14 ++++++++++---- app/install.php | 1 + 2 files changed, 11 insertions(+), 4 deletions(-) (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index 62ea18d96..bfbd7a6eb 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -111,10 +111,16 @@ class FreshRSS extends Minz_FrontController { } public static function preLayout() { - if (Minz_Request::controllerName() === 'stats') { - header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); - } else { - header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *"); + switch (Minz_Request::controllerName()) { + case 'index': + header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *"); + break; + case 'stats': + header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); + break; + default: + header("Content-Security-Policy: default-src 'self'"); + break; } } diff --git a/app/install.php b/app/install.php index 03f6e2199..a4a888af2 100644 --- a/app/install.php +++ b/app/install.php @@ -2,6 +2,7 @@ if (function_exists('opcache_reset')) { opcache_reset(); } +header("Content-Security-Policy: default-src 'self'"); define('BCRYPT_COST', 9); -- cgit v1.2.3 From cbac2afd23daaeeb3b5d6c81fdcd5c28619f5b1d Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 1 Mar 2016 21:56:19 +0100 Subject: CSP compatibility with Firefox older than 45 https://github.com/FreshRSS/FreshRSS/pull/1075 https://github.com/FreshRSS/FreshRSS/pull/1078 https://developer.mozilla.org/en-US/Firefox/Releases/45#Security https://bugzilla.mozilla.org/show_bug.cgi?id=1045891 --- CHANGELOG.md | 2 +- app/FreshRSS.php | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'app/FreshRSS.php') diff --git a/CHANGELOG.md b/CHANGELOG.md index 096c930d1..43823b536 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,7 +3,7 @@ ## 2016-03-xx FreshRSS 1.3.1-beta * Security - * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075) + * Added CSP `Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *` [#1075](https://github.com/FreshRSS/FreshRSS/pull/1075) * Features * New list of domains for which to force HTTPS (for images, videos, iframes…) defined in `./data/force-https.default.txt` and `./data/force-https.txt` [#1083](https://github.com/FreshRSS/FreshRSS/issues/1083) * In particular useful for privacy and to avoid mixed content errors, e.g. to see YouTube videos when FreshRSS is in HTTPS diff --git a/app/FreshRSS.php b/app/FreshRSS.php index bfbd7a6eb..d6f4f4062 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -113,7 +113,7 @@ class FreshRSS extends Minz_FrontController { public static function preLayout() { switch (Minz_Request::controllerName()) { case 'index': - header("Content-Security-Policy: default-src 'self'; child-src *; img-src * data:; media-src *"); + header("Content-Security-Policy: default-src 'self'; child-src *; frame-src *; img-src * data:; media-src *"); break; case 'stats': header("Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'"); -- cgit v1.2.3 From 44be16d4fbc78c14f8ea17160585ed1bec0c8722 Mon Sep 17 00:00:00 2001 From: Alexandre Alapetite Date: Tue, 8 Mar 2016 18:28:04 +0100 Subject: X-Content-Type-Options: nosniff https://github.com/FreshRSS/FreshRSS/issues/1114 --- app/FreshRSS.php | 1 + 1 file changed, 1 insertion(+) (limited to 'app/FreshRSS.php') diff --git a/app/FreshRSS.php b/app/FreshRSS.php index d6f4f4062..bafa970da 100644 --- a/app/FreshRSS.php +++ b/app/FreshRSS.php @@ -122,6 +122,7 @@ class FreshRSS extends Minz_FrontController { header("Content-Security-Policy: default-src 'self'"); break; } + header("X-Content-Type-Options: nosniff"); } private function loadNotifications() { -- cgit v1.2.3