Commit 1bebba42 authored by Christophe Maudoux's avatar Christophe Maudoux

WIP - Partial revert and debug messages appended to test (#1480)

parent 6aed829b
......@@ -31,7 +31,6 @@ sub defaultValues {
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspFormAction' => '\'self\'',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
......
......@@ -907,10 +907,6 @@ qr/(?:(?:https?):\/\/(?:(?:(?:(?:(?:(?:[a-zA-Z0-9][-a-zA-Z0-9]*)?[a-zA-Z0-9])[.]
'default' => '\'self\'',
'type' => 'text'
},
'cspFormAction' => {
'default' => '\'self\'',
'type' => 'text'
},
'cspImg' => {
'default' => '\'self\' data:',
'type' => 'text'
......
......@@ -599,11 +599,6 @@ sub attributes {
default => "'self'",
documentation => 'Font source for Content-Security-Policy',
},
cspFormAction => {
type => 'text',
default => "'self'",
documentation => 'Form-Action source for Content-Security-Policy',
},
portalAntiFrame => {
default => 1,
type => 'bool',
......
......@@ -736,7 +736,6 @@ sub tree {
'cspDefault', 'cspImg',
'cspScript', 'cspStyle',
'cspConnect', 'cspFont',
'cspFormAction',
]
},
'requireToken',
......
......@@ -142,7 +142,6 @@
"cspStyle":"مصدر الأسلوب ",
"cspConnect":"وجهات أجاكس",
"cspFont":" مصدر نوع الخط",
"cspFormAction":"Form-Action source",
"cfgLog":"استئنف",
"cfgVersion":"عملية ضبط الإصدارات",
"checkXSS":"تحقق من هجمات XSS",
......
......@@ -142,7 +142,6 @@
"cspStyle":"Style source",
"cspConnect":"Ajax destinations",
"cspFont":"Font source",
"cspFormAction":"Form-Action source",
"cfgLog":"Resume",
"cfgVersion":"Configuration version",
"checkXSS":"Check XSS attacks",
......
......@@ -142,7 +142,6 @@
"cspStyle":"Sources des styles",
"cspConnect":"Destinations des requêtes Ajax",
"cspFont":"Source des polices",
"cspFormAction":"Source des actions des formulaires",
"cfgLog":"Résumé",
"cfgVersion":"Version de la configuration",
"checkXSS":"Contrôler les attaques XSS",
......
......@@ -142,7 +142,6 @@
"cspStyle":"Origine di stile",
"cspConnect":"Destinazioni Ajax",
"cspFont":"Origine carattere",
"cspFormAction":"Form-Action source",
"cfgLog":"Riprendi",
"cfgVersion":"Versione configurazione",
"checkXSS":"Verifica attacchi XSS",
......
......@@ -142,7 +142,6 @@
"cspStyle":"Nguồn phong cách",
"cspConnect":"Đích cúa Ajax",
"cspFont":"Nguồn phông chữ",
"cspFormAction":"Form-Action source",
"cfgLog":"Tiếp tục",
"cfgVersion":"Phiên bản cấu hình",
"checkXSS":"Kiểm tra tấn công XSS",
......
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -174,7 +174,6 @@ sub reloadConf {
my $prm = $self->conf->{ 'csp' . ucfirst($_) };
$csp .= "$_-src $prm;" if ($prm);
}
$csp = $csp . "form-action 'self' " . $self->conf->{ cspFormAction };
$self->csp($csp);
# Initialize templateDir
......
......@@ -722,18 +722,21 @@ sub sendHtml {
'X-XSS-Protection' => '1; mode=block',
'X-Content-Type-Options' => 'nosniff';
# Set authorizated URL for POST
#my $csp = $self->csp . "form-action 'self'";
my $csp = $self->csp;
# Set authorized URL for POST
my $csp = $self->csp . "form-action 'self'";
if ( my $url = $req->urldc ) {
$self->logger->debug("Required urldc : $url");
$url =~ s#(https?://[^/]+).*#$1#;
$csp .= " $url";
$self->logger->debug("Set CSP form-action with urldc : $url");
$csp .= " $url";
}
my $url = $args{params}->{URL};
if ( $url and $url =~ s#(https?://[^/]+).*#$1# ) {
my $url = $args->{params}->{URL};
$self->logger->debug("Required Params URL : $url");
if ( defined $url and $url =~ s#(https?://[^/]+).*#$1# ) {
$self->logger->debug("Set CSP form-action with Params URL : $url");
$csp .= " $url";
}
$csp .= ';';
#$csp .= ';';
# Deny using portal in frame except if it is required
unless ( $req->frame or $self->conf->{portalAntiFrame} == 0 ) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment