Config option to allow other web sites to iFrame our pages.

Coz someone asked for it.
author: onefang 2020-04-30 13:05:13 +1000
committer: onefang 2020-04-30 13:05:13 +1000
commit: dcbb6f814470c8da8ba79fe39ae8827141a5fa9a (patch)
tree: 1fcfc5ed47b67e48384bbd0dc77b2d553cfb87a7
parent: Don't fall over on NULL FCGI path. (diff)
download: opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.zip
opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.gz
opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.bz2
opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.xz
2 files changed, 28 insertions, 2 deletions
diff --git a/src/.sledjChisl.conf.lua b/src/.sledjChisl.conf.lua
index dab7b18..59cb833 100644
--- a/src/.sledjChisl.conf.lua
+++ b/src/.sledjChisl.conf.lua
@@ -20,6 +20,7 @@ config =
  ["webRoot"]           = "/var/www/html";
  ["webHost"]           = "localhost";
  ["URL"]               = "sledjchisl.fcgi";
+  ["webIframers"]       = "";                   -- Space separated list of hosts allowed to iFrame us, coz someone asked.  Include the "https://" bit.
  ["seshTimeOut"]       = 30 * 60;              -- seconds
  ["idleTimeOut"]       = 24 * 60 * 60;         -- seconds
  ["newbieTimeOut"]     = 30;                   -- days
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 8e9108e..6bb9b48 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -446,6 +446,7 @@ char *Tcmd = "tmux -S";
 char *webRoot = "/var/www/html";
 char *URL = "fcgi-bin/sledjchisl.fcgi";
 char *ToS = "Be good.";
+char *webIframers = "";
 int  seshTimeOut  = 30 * 60;
 int  idleTimeOut  = 24 * 60 * 60;
 int newbieTimeOut = 30;
@@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated.
  if ((vd  = configs->get   (configs, "idleTimeOut",    NULL, false))   != NULL)  {idleTimeOut          = (int) *((float *) vd);        D("Setting idleTimeOut = %d", idleTimeOut);}
  if ((vd  = configs->get   (configs, "newbieTimeOut",  NULL, false))   != NULL)  {newbieTimeOut        = (int) *((float *) vd);        D("Setting newbieTimeOut = %d", newbieTimeOut);}
  if ((tmp = configs->getstr(configs, "ToS",      false))               != NULL)  {ToS                  = tmp;                          D("Setting ToS = %s", ToS);}
+  if ((tmp = configs->getstr(configs, "webIframers", false))            != NULL)  {webIframers          = tmp;                          D("Setting webIframers = %s", webIframers);}
  // Use a FHS compatible setup -
@@ -6675,9 +6677,32 @@ t("BODY");
        Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate");
        Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache");
        Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1");
-//      Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'");     // This can get complex.
+        Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000");    // Two years.
+// TODO - do something about this -
+        /* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
+            "Note: Disallowing inline styles and inline scripts is one of
+            the biggest security wins CSP provides. However, if you
+            absolutely have to use it, there are a few mechanisms that
+            will allow them."
+            WTF?  And the mechanisms include nonces, hashes, or 'unsafe-inline'.
+            Not sure why inline styles need to be that secure, when downloaded ones are not.
+            Ah, it's for user input that is sent back to other users, they might include funky CSS in their input.
+            SOOOO, proper validation and escaping is needed.
+            OOOOR, use the nonce, and make it a different nonce per page serve.
+            OOOOR, just put all the style stuff in a .css file.  Then we can use style-src 'self' without the 'unsafe-inline'?
+                There's only one block of <style in the header I think.
+        */
+        // Content-Security-Policy can get complex, and I first wrote that when it was very simple.  lol
+        if ('\0' != webIframers[0])
+          Rd->Rheaders->putstrf(Rd->Rheaders, "Content-Security-Policy", 
+            "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self' %s", webIframers);
+        else
+        {
+          Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'");
+          Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");  // This is deprecated, and is an all or nothing thing.
+        }
        Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block");
-        Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");
        Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff");
 // Failed experiment, looks like JavaScript is the only way to change headers for the session ID.
 //      Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar");
author	onefang	2020-04-30 13:05:13 +1000
committer	onefang	2020-04-30 13:05:13 +1000
commit	dcbb6f814470c8da8ba79fe39ae8827141a5fa9a (patch)
tree	1fcfc5ed47b67e48384bbd0dc77b2d553cfb87a7
parent	Don't fall over on NULL FCGI path. (diff)
download	opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.zip opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.gz opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.bz2 opensim-SC-dcbb6f814470c8da8ba79fe39ae8827141a5fa9a.tar.xz