]> git.ipfire.org Git - people/arne_f/ipfire-2.x.git/commitdiff
projects / people / arne_f / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7ddfc68)
prevent loading resources from external sites
authorPeter Müller <peter.mueller@link38.eu>
Sun, 3 Dec 2017 19:34:02 +0000 (20:34 +0100)
committerMichael Tremer <michael.tremer@ipfire.org>
Sat, 16 Dec 2017 12:18:39 +0000 (12:18 +0000)
Make Apache transmit a CSP (Content Security Policy) header
for WebUI and Captive Portal contents.

This prevents some XSS and content injection attacks, especially
in case no transport encryption (Captive Portal!) can be used.

Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/httpd/vhosts.d/captive.conf patch | blob | blame | history
config/httpd/vhosts.d/ipfire-interface-ssl.conf patch | blob | blame | history
config/httpd/vhosts.d/ipfire-interface.conf patch | blob | blame | history

diff --git a/config/httpd/vhosts.d/captive.conf b/config/httpd/vhosts.d/captive.conf
index e71a26081ef2a11edafdad053910f37acaab9cd5..629fa818021ad6299af8eaad582857eeb581f82c 100644 (file)
--- a/config/httpd/vhosts.d/captive.conf
+++ b/config/httpd/vhosts.d/captive.conf
@@ -10,6 +10,7 @@ Listen 1013
        KeepAlive Off
 
        Header always set X-Content-Type-Options nosniff
+       Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
        ScriptAlias /cgi-bin/ /srv/web/ipfire/cgi-bin/captive/
        Alias /assets/ /srv/web/ipfire/html/captive/assets/
diff --git a/config/httpd/vhosts.d/ipfire-interface-ssl.conf b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
index c5d8ffba9efdcfe0651e8cb6e0ebfe9257fa75cd..b5052dda4ae3d780d9af88ed8aaa6dd539ea64ab 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface-ssl.conf
+++ b/config/httpd/vhosts.d/ipfire-interface-ssl.conf
@@ -21,6 +21,7 @@
     SSLCertificateKeyFile /etc/httpd/server-ecdsa.key
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
diff --git a/config/httpd/vhosts.d/ipfire-interface.conf b/config/httpd/vhosts.d/ipfire-interface.conf
index 5c7ddc7197cbb1a0dcb9cf513d86a9510ef36cfa..b709944047b3c74a56c33d4646a3816bea4f1f3e 100644 (file)
--- a/config/httpd/vhosts.d/ipfire-interface.conf
+++ b/config/httpd/vhosts.d/ipfire-interface.conf
@@ -7,6 +7,7 @@
     RewriteRule .* - [F]
 
     Header always set X-Content-Type-Options nosniff
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"
 
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
Arne's tree of IPFire 2.x.