From dcbb6f814470c8da8ba79fe39ae8827141a5fa9a Mon Sep 17 00:00:00 2001
From: onefang
Date: Thu, 30 Apr 2020 13:05:13 +1000
Subject: Config option to allow other web sites to iFrame our pages.

Coz someone asked for it.
---
 src/sledjchisl/sledjchisl.c | 29 +++++++++++++++++++++++++++--
 1 file changed, 27 insertions(+), 2 deletions(-)

(limited to 'src/sledjchisl/sledjchisl.c')

diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 8e9108e..6bb9b48 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -446,6 +446,7 @@ char *Tcmd = "tmux -S";
 char *webRoot = "/var/www/html";
 char *URL = "fcgi-bin/sledjchisl.fcgi";
 char *ToS = "Be good.";
+char *webIframers = "";
 int  seshTimeOut  = 30 * 60;
 int  idleTimeOut  = 24 * 60 * 60;
 int newbieTimeOut = 30;
@@ -6305,6 +6306,7 @@ jit library is loaded or the JIT compiler will not be activated.
   if ((vd  = configs->get   (configs, "idleTimeOut",    NULL, false))	!= NULL)  {idleTimeOut		= (int) *((float *) vd);	D("Setting idleTimeOut = %d", idleTimeOut);}
   if ((vd  = configs->get   (configs, "newbieTimeOut",  NULL, false))	!= NULL)  {newbieTimeOut	= (int) *((float *) vd);	D("Setting newbieTimeOut = %d", newbieTimeOut);}
   if ((tmp = configs->getstr(configs, "ToS",      false))		!= NULL)  {ToS			= tmp;				D("Setting ToS = %s", ToS);}
+  if ((tmp = configs->getstr(configs, "webIframers", false))		!= NULL)  {webIframers		= tmp;				D("Setting webIframers = %s", webIframers);}
 
 
   // Use a FHS compatible setup -
@@ -6675,9 +6677,32 @@ t("BODY");
 	Rd->Rheaders->putstr(Rd->Rheaders, "Cache-Control", "no-cache, no-store, must-revalidate");
 	Rd->Rheaders->putstr(Rd->Rheaders, "Pragma", "no-cache");
 	Rd->Rheaders->putstr(Rd->Rheaders, "Expires", "-1");
-//	Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "script-src 'self'");	// This can get complex.
+	Rd->Rheaders->putstr(Rd->Rheaders, "Strict-Transport-Security", "max-age=63072000");	// Two years.
+// TODO - do something about this -
+	/* https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src
+	    "Note: Disallowing inline styles and inline scripts is one of
+	    the biggest security wins CSP provides. However, if you
+	    absolutely have to use it, there are a few mechanisms that
+	    will allow them."
+
+	    WTF?  And the mechanisms include nonces, hashes, or 'unsafe-inline'.
+	    Not sure why inline styles need to be that secure, when downloaded ones are not.
+	    Ah, it's for user input that is sent back to other users, they might include funky CSS in their input.
+	    SOOOO, proper validation and escaping is needed.
+	    OOOOR, use the nonce, and make it a different nonce per page serve.
+	    OOOOR, just put all the style stuff in a .css file.  Then we can use style-src 'self' without the 'unsafe-inline'?
+		There's only one block of <style in the header I think.
+	*/
+	// Content-Security-Policy can get complex, and I first wrote that when it was very simple.  lol
+	if ('\0' != webIframers[0])
+	  Rd->Rheaders->putstrf(Rd->Rheaders, "Content-Security-Policy", 
+	    "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'self' %s", webIframers);
+	else
+	{
+	  Rd->Rheaders->putstr(Rd->Rheaders, "Content-Security-Policy", "default-src 'self'; script-src 'none'; form-action 'self'; style-src 'self' 'unsafe-inline'");
+	  Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");	// This is deprecated, and is an all or nothing thing.
+	}
 	Rd->Rheaders->putstr(Rd->Rheaders, "X-XSS-Protection", "1;mode=block");
-	Rd->Rheaders->putstr(Rd->Rheaders, "X-Frame-Options", "SAMEORIGIN");
 	Rd->Rheaders->putstr(Rd->Rheaders, "X-Content-Type-Options", "nosniff");
 // Failed experiment, looks like JavaScript is the only way to change headers for the session ID.
 //	Rd->Rheaders->putstr(Rd->Rheaders, "X-Toke-N-Munchie", "foo, bar");
-- 
cgit v1.1