diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/.sledjChisl.conf.lua | 1 | ||||
-rw-r--r-- | src/sledjchisl/sledjchisl.c | 29 |
2 files changed, 28 insertions, 2 deletions
diff --git a/src/.sledjChisl.conf.lua b/src/.sledjChisl.conf.lua index dab7b18..59cb833 100644 --- a/src/.sledjChisl.conf.lua +++ b/src/.sledjChisl.conf.lua | |||
@@ -20,6 +20,7 @@ config = | |||
20 | ["webRoot"] = "/var/www/html"; | 20 | ["webRoot"] = "/var/www/html"; |
21 | ["webHost"] = "localhost"; | 21 | ["webHost"] = "localhost"; |
22 | ["URL"] = "sledjchisl.fcgi"; | 22 | ["URL"] = "sledjchisl.fcgi"; |
23 | ["webIframers"] = ""; -- Space separated list of hosts allowed to iFrame us, coz someone asked. Include the "https://" bit. | ||
23 | ["seshTimeOut"] = 30 * 60; -- seconds | 24 | ["seshTimeOut"] = 30 * 60; -- seconds |
24 | ["idleTimeOut"] = 24 * 60 * 60; -- seconds | 25 | ["idleTimeOut"] = 24 * 60 * 60; -- seconds |
25 | ["newbieTimeOut"] = 30; -- days | 26 | ["newbieTimeOut"] = 30; -- days |
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index 8e9108e..6bb9b48 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c | |||
@@ -446,6 +446,7 @@ char *Tcmd = "tmux -S"; | |||
446 | char *webRoot = "/var/www/html"; | 446 | char *webRoot = "/var/www/html"; |
447 | char *URL = "fcgi-bin/sledjchisl.fcgi"; | 447 | char *URL = "fcgi-bin/sledjchisl.fcgi"; |
448 | char *ToS = "Be good."; | 448 | char *ToS = "Be good."; |
449 | char *webIframers = ""; | ||
449 | int seshTimeOut = 30 * 60; | 450 | int seshTimeOut = 30 * 60; |
450 | int idleTimeOut = 24 * 60 * 60; | 451 | int idleTimeOut = 24 * 60 * 60; |
451 | int newbieTimeOut = 30; | 452 | int newbieTimeOut = 30; |
@@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated. | |||
6305 | if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);} | 6306 | if ((vd = configs->get (configs, "idleTimeOut", NULL, false)) != NULL) {idleTimeOut = (int) *((float *) vd); D("Setting idleTimeOut = %d", idleTimeOut);} |
6306 | if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);} | 6307 | if ((vd = configs->get (configs, "newbieTimeOut", NULL, false)) != NULL) {newbieTimeOut = (int) *((float *) vd); D("Setting newbieTimeOut = %d", newbieTimeOut);} |
6307 | if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);} | 6308 | if ((tmp = configs->getstr(configs, "ToS", false)) != NULL) {ToS = tmp; D("Setting ToS = %s", ToS);} |
6309 | if ((tmp = configs->getstr(configs, "webIframers", false)) != NULL) {webIframers = tmp; D("Setting webIframers = %s", webIframers);} | ||
6308 | 6310 | ||
6309 | 6311 | ||
6310 | // Use a FHS compatible setup - | 6312 | // Use a FHS compatible setup - |
@@ -6675,9 +6677,32 @@ t("BODY"); | |||
6675 | Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate"); | 6677 | Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate"); |
6676 | Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache"); | 6678 | Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache"); |
6677 | Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1"); | 6679 | Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1"); |
6678 | // Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'"); // This can get complex. | 6680 | Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000"); // Two years. |
6681 | // TODO - do something about this - | ||
6682 | /* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src | ||
6683 | "Note: Disallowing inline styles and inline scripts is one of | ||
6684 | the biggest security wins CSP provides. However, if you | ||
6685 | absolutely have to use it, there are a few mechanisms that | ||
6686 | will allow them." | ||
6687 | |||
6688 | WTF? And the mechanisms include nonces, hashes, or 'unsafe-inline'. | ||
6689 | Not sure why inline styles need to be that secure, when downloaded ones are not. | ||
6690 | Ah, it's for user input that is sent back to other users, they might include funky CSS in their input. | ||
6691 | SOOOO, proper validation and escaping is needed. | ||
6692 | OOOOR, use the nonce, and make it a different nonce per page serve. | ||
6693 | OOOOR, just put all the style stuff in a .css file. Then we can use style-src 'self' without the 'unsafe-inline'? | ||
6694 | There's only one block of <style in the header I think. | ||
6695 | */ | ||
6696 | // Content-Security-Policy can get complex, and I first wrote that when it was very simple. lol | ||
6697 | if ('\0' != webIframers[0]) | ||
6698 | Rd->Rheaders->putstrf(Rd->Rheaders, "Content-Security-Policy", | ||
6699 | "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self' %s", webIframers); | ||
6700 | else | ||
6701 | { | ||
6702 | Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'"); | ||
6703 | Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN"); // This is deprecated, and is an all or nothing thing. | ||
6704 | } | ||
6679 | Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block"); | 6705 | Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block"); |
6680 | Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN"); | ||
6681 | Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff"); | 6706 | Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff"); |
6682 | // Failed experiment, looks like JavaScript is the only way to change headers for the session ID. | 6707 | // Failed experiment, looks like JavaScript is the only way to change headers for the session ID. |
6683 | // Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar"); | 6708 | // Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar"); |