Enable default nelmio CSP

vtsykun · Feb 19, 2023 · 5f4907e · 5f4907e
1 parent 27e121d
commit 5f4907e
Show file tree

Hide file tree

Showing 10 changed files with 277 additions and 58 deletions.
diff --git a/composer.json b/composer.json
@@ -43,6 +43,7 @@
         "knplabs/knp-menu-bundle": "^3.2",
         "laminas/laminas-feed": "^2.20",
         "nelmio/cors-bundle": "^2.2",
+        "nelmio/security-bundle": "^3.0",
         "okvpn/cron-bundle": "^0.2",
         "oro/doctrine-extensions": "^2.0",
         "pagerfanta/core": "^3.7",
@@ -92,7 +93,6 @@
             "symfony/flex": true,
             "symfony/runtime": true
         },
-        "optimize-autoloader": true,
         "preferred-install": {
             "*": "dist"
         },

diff --git a/composer.lock b/composer.lock
diff --git a/config/bundles.php b/config/bundles.php
@@ -15,6 +15,7 @@
     Symfony\Bundle\DebugBundle\DebugBundle::class => ['dev' => true],
     Symfony\Bundle\WebProfilerBundle\WebProfilerBundle::class => ['dev' => true,],
     BabDev\PagerfantaBundle\BabDevPagerfantaBundle::class => ['all' => true],
+    Nelmio\SecurityBundle\NelmioSecurityBundle::class => ['all' => true],
 ];
 
 if (!class_exists(Symfony\Bundle\WebProfilerBundle\WebProfilerBundle::class)) {

diff --git a/config/packages/nelmio_security.yaml b/config/packages/nelmio_security.yaml
@@ -0,0 +1,45 @@
+nelmio_security:
+    clickjacking:
+        paths:
+            '^/.*': DENY
+
+    content_type:
+        nosniff: true
+
+    xss_protection:
+        enabled: true
+        mode_block: true
+
+    csp:
+        enabled: true
+        report_logger_service: logger
+        hosts: []
+        content_types: []
+        enforce:
+            browser_adaptive:
+                enabled: false
+            default-src:
+                - 'self'
+            script-src:
+                - 'self'
+                - 'unsafe-eval'
+            connect-src:
+                - 'self'
+            img-src:
+                - 'self'
+                - 'https:'
+                - 'data:'
+            object-src:
+                - 'none'
+            style-src:
+                - 'self'
+                - 'unsafe-inline'
+                - 'https://fonts.googleapis.com'
+            font-src:
+                - 'self'
+                - 'https://fonts.googleapis.com'
+                - 'https://fonts.gstatic.com'
+            frame-src:
+                - 'self'
+            base-uri:
+                - 'none'
diff --git a/public/packeton/css/main.css b/public/packeton/css/main.css
@@ -773,10 +773,12 @@ input:focus:invalid:focus, textarea:focus:invalid:focus, select:focus:invalid:fo
     font-size: 12px;
 }
 
-.btn.loading, .btn.loading:hover, .btn.loading:active {
+.btn.loading, .btn.loading:hover, .btn.loading:active, .btn.loading:focus {
     background-image: url("../img/loader.gif");
     background-position: 95% 50%;
     background-repeat: no-repeat;
+    pointer-events: none;
+    opacity: 0.75;
 }
 
 .btn-default {

diff --git a/public/packeton/js/init.js b/public/packeton/js/init.js
@@ -0,0 +1,9 @@
+if (!String.prototype.htmlSpecialChars) {
+    String.prototype.htmlSpecialChars = function () {
+        return this.replace(/&/g, '&amp;')
+            .replace(/'/g, '&apos;')
+            .replace(/"/g, '&quot;')
+            .replace(/</g, '&lt;')
+            .replace(/>/g, '&gt;');
+    };
+}
diff --git a/public/packeton/js/layout.js b/public/packeton/js/layout.js
@@ -1,35 +1,60 @@
 (function ($, humane) {
     "use strict";
 
+    $('.view-log').on('click', function (e) {
+        e.preventDefault();
+        let target = $(this);
+        let details = target.attr('data-details');
+        let message = target.attr('data-msg');
+        let close = '<a class="close">x</a>';
+        if (message.length > 64) {
+            if (message.length > 120) {
+                details = '<pre>' + message + '</pre>' + details;
+            }
+
+            message = message.substring(0, 60) + '...';
+        }
+
+        message = message.htmlSpecialChars();
+        humane.log([close, message, details], {timeout: 0});
+
+        $('a.close').one('click', function () {
+            humane.remove();
+        });
+    });
+
     /**
      * Ajax error handler
      */
     $.ajaxSetup({
         error: function (xhr) {
-            var resp, message, details = '';
-
+            let resp, message, details = '';
             humane.remove();
 
+            message = '';
             if (xhr.responseText) {
                 try {
                     resp = JSON.parse(xhr.responseText);
                     if (resp.status && resp.status === 'error') {
                         message = resp.message;
                         details = resp.details;
+                    } else if (resp.error) {
+                        message = resp.error;
                     }
                 } catch (e) {
                     message = "We're so sorry, something is wrong on our end.";
                 }
             }
 
+            message = message.htmlSpecialChars();
             humane.log(details ? [message, details] : message, {timeout: 0, clickToClose: true});
         }
     });
 
     /**
      * API Token visibility toggling
      */
-    var token = $('#api-token');
+    let token = $('#api-token');
     token.val('');
 
     $('.btn-show-api-token,#api-token').each(function() {
@@ -38,7 +63,6 @@
             token.select();
 
             $('.btn-show-api-token').text('Your API token');
-
             e.preventDefault();
         });
     });