From: Peter Müller <peter.mueller@link38.eu>
Date: Sun, 3 Dec 2017 19:34:02 +0000 (+0100)
Subject: prevent loading resources from external sites
X-Git-Tag: v2.19-core118~3^2~83
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb6d71514a27e4af5953bd07c34f3ee82c2ef463;p=people%2Fstevee%2Fipfire-2.x.git

prevent loading resources from external sites

Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e71a26081e..629fa81802 100644
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -10,6 +10,7 @@ Listen 1013
 	KeepAlive Off
 
 	Header always set X-Content-Type-Options nosniff
+	Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
 	ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
 	Alias /assets/ /srv/web/ipfire/html/captive/assets/
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c5d8ffba9e..b5052dda4a 100644
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -21,6 +21,7 @@
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 5c7ddc7197..b709944047 100644
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -7,6 +7,7 @@
     RewriteRule .* - [F]
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI