From dcbb6f814470c8da8ba79fe39ae8827141a5fa9a Mon Sep 17 00:00:00 2001 From: onefang Date: Thu, 30 Apr 2020 13:05:13 +1000 Subject: Config option to allow other web sites to iFrame our pages. Coz someone asked for it. --- src/.sledjChisl.conf.lua | 1 + src/sledjchisl/sledjchisl.c | 29 +++++++++++++++++++++++++++-- 2 files changed, 28 insertions(+), 2 deletions(-) diff --git a/src/.sledjChisl.conf.lua b/src/.sledjChisl.conf.lua index dab7b18..59cb833 100644 --- a/src/.sledjChisl.conf.lua +++ b/src/.sledjChisl.conf.lua @@ -20,6 +20,7 @@ config = ["webRoot"] = "/var/www/html"; ["webHost"] = "localhost"; ["URL"] = "sledjchisl.fcgi"; + ["webIframers"] = ""; -- Space separated list of hosts allowed to iFrame us, coz someone asked. Include the "https://" bit. ["seshTimeOut"] = 30 * 60; -- seconds ["idleTimeOut"] = 24 * 60 * 60; -- seconds ["newbieTimeOut"] = 30; -- days diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index 8e9108e..6bb9b48 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c @@ -446,6 +446,7 @@ char *Tcmd = "tmux -S"; char *webRoot = "/var/www/html"; char *URL = "fcgi-bin/sledjchisl.fcgi"; char *ToS = "Be good."; +char *webIframers = ""; int seshTimeOut = 30 * 60; int idleTimeOut = 24 * 60 * 60; int newbieTimeOut = 30; @@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated. if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);} if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);} if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);} + if ((tmp = configs->getstr(configs, "webIframers", false)) != NULL) {webIframers = tmp; D("Setting webIframers = %s", webIframers);} // Use a FHS compatible setup - @@ -6675,9 +6677,32 @@ t("BODY"); Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate"); Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache"); Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1"); -// Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'"); // This can get complex. + Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000"); // Two years. +// TODO - do something about this - + /* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src + "Note: Disallowing inline styles and inline scripts is one of + the biggest security wins CSP provides. However, if you + absolutely have to use it, there are a few mechanisms that + will allow them." + + WTF? And the mechanisms include nonces, hashes, or 'unsafe-inline'. + Not sure why inline styles need to be that secure, when downloaded ones are not. + Ah, it's for user input that is sent back to other users, they might include funky CSS in their input. + SOOOO, proper validation and escaping is needed. + OOOOR, use the nonce, and make it a different nonce per page serve. + OOOOR, just put all the style stuff in a .css file. Then we can use style-src 'self' without the 'unsafe-inline'? + There's only one block of