aboutsummaryrefslogtreecommitdiffstatshomepage
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/.sledjChisl.conf.lua1
-rw-r--r--src/sledjchisl/sledjchisl.c29
2 files changed, 28 insertions, 2 deletions
diff --git a/src/.sledjChisl.conf.lua b/src/.sledjChisl.conf.lua
index dab7b18..59cb833 100644
--- a/src/.sledjChisl.conf.lua
+++ b/src/.sledjChisl.conf.lua
@@ -20,6 +20,7 @@ config =
20 ["webRoot"] = "/var/www/html"; 20 ["webRoot"] = "/var/www/html";
21 ["webHost"] = "localhost"; 21 ["webHost"] = "localhost";
22 ["URL"] = "sledjchisl.fcgi"; 22 ["URL"] = "sledjchisl.fcgi";
23 ["webIframers"] = ""; -- Space separated list of hosts allowed to iFrame us, coz someone asked. Include the "https://" bit.
23 ["seshTimeOut"] = 30 * 60; -- seconds 24 ["seshTimeOut"] = 30 * 60; -- seconds
24 ["idleTimeOut"] = 24 * 60 * 60; -- seconds 25 ["idleTimeOut"] = 24 * 60 * 60; -- seconds
25 ["newbieTimeOut"] = 30; -- days 26 ["newbieTimeOut"] = 30; -- days
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 8e9108e..6bb9b48 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -446,6 +446,7 @@ char *Tcmd = "tmux -S";
446char *webRoot = "/var/www/html"; 446char *webRoot = "/var/www/html";
447char *URL = "fcgi-bin/sledjchisl.fcgi"; 447char *URL = "fcgi-bin/sledjchisl.fcgi";
448char *ToS = "Be good."; 448char *ToS = "Be good.";
449char *webIframers = "";
449int seshTimeOut = 30 * 60; 450int seshTimeOut = 30 * 60;
450int idleTimeOut = 24 * 60 * 60; 451int idleTimeOut = 24 * 60 * 60;
451int newbieTimeOut = 30; 452int newbieTimeOut = 30;
@@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated.
6305 if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);} 6306 if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);}
6306 if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);} 6307 if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);}
6307 if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);} 6308 if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);}
6309 if ((tmp = configs->getstr(configs, "webIframers", false)) != NULL) {webIframers = tmp; D("Setting webIframers = %s", webIframers);}
6308 6310
6309 6311
6310 // Use a FHS compatible setup - 6312 // Use a FHS compatible setup -
@@ -6675,9 +6677,32 @@ t("BODY");
6675 Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate"); 6677 Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate");
6676 Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache"); 6678 Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache");
6677 Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1"); 6679 Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1");
6678// Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'"); // This can get complex. 6680 Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000"); // Two years.
6681// TODO - do something about this -
6682 /* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
6683 "Note: Disallowing inline styles and inline scripts is one of
6684 the biggest security wins CSP provides. However, if you
6685 absolutely have to use it, there are a few mechanisms that
6686 will allow them."
6687
6688 WTF? And the mechanisms include nonces, hashes, or 'unsafe-inline'.
6689 Not sure why inline styles need to be that secure, when downloaded ones are not.
6690 Ah, it's for user input that is sent back to other users, they might include funky CSS in their input.
6691 SOOOO, proper validation and escaping is needed.
6692 OOOOR, use the nonce, and make it a different nonce per page serve.
6693 OOOOR, just put all the style stuff in a .css file. Then we can use style-src 'self' without the 'unsafe-inline'?
6694 There's only one block of <style in the header I think.
6695 */
6696 // Content-Security-Policy can get complex, and I first wrote that when it was very simple. lol
6697 if ('\0' != webIframers[0])
6698 Rd->Rheaders->putstrf(Rd->Rheaders, "Content-Security-Policy",
6699 "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self' %s", webIframers);
6700 else
6701 {
6702 Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'");
6703 Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN"); // This is deprecated, and is an all or nothing thing.
6704 }
6679 Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block"); 6705 Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block");
6680 Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");
6681 Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff"); 6706 Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff");
6682// Failed experiment, looks like JavaScript is the only way to change headers for the session ID. 6707// Failed experiment, looks like JavaScript is the only way to change headers for the session ID.
6683// Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar"); 6708// Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar");