Added Content-Security-Policy header to prevent XSS attacks

2016-01-29 15:52:57 +01:00 · 2016-01-29 15:52:57 +01:00 · 9b31f83f6d
parent 243e9b045f
commit 9b31f83f6d
12 changed files with 35 additions and 3 deletions
--- a/add-domain.php
+++ b/add-domain.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>
--- a/domains.php
+++ b/domains.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>
--- a/edit-master.php
+++ b/edit-master.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>
@ -150,7 +151,7 @@ limitations under the License.
                    <tfoot>
                        <td>New</td>
                        <td><input id="addName" type="text" class="form-control input-sm" data-regex="^([^.]+\.)*[^.]+$"></td>
-                        <td><select id="addType" class="form-control" style="width: 70%;"></select></td>
+                        <td><select id="addType" class="form-control select-narrow-70"></select></td>
                        <td><input id="addContent" type="text" class="form-control input-sm" data-regex="^.+$"></td>
                        <td><input id="addPrio" type="text" class="form-control input-sm" size="1" data-regex="^[0-9]+$"></td>
                        <td><input id="addTtl" type="text" class="form-control input-sm" size="3" data-regex="^[0-9]+$"></td>
--- a/edit-user.php
+++ b/edit-user.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>
--- a/include/custom.css
+++ b/include/custom.css
@ -20,4 +20,6 @@

 .cell-vertical-bottom { vertical-align: bottom !important; }
 .cell-vertical-middle { vertical-align: middle !important; }
-.cell-vertical-top { vertical-align: top !important; }
+.cell-vertical-top { vertical-align: top !important; }
+
+.select-narrow-70 { width: 70%; }
--- a/index.php
+++ b/index.php
@ -14,6 +14,9 @@ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 See the License for the specific language governing permissions and
 limitations under the License.
 -->
+<?php
+    require_once 'lib/headers.php';
+?>
 <html>
    <head>
        <title>PDNS Manager</title>
--- a/install.php
+++ b/install.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    if(file_exists("config/config-user.php")) {
        Header("Location: index.php");
    }
--- a/js/edit-master.js
+++ b/js/edit-master.js
@ -230,7 +230,7 @@ function editClicked() {
    
    var valueType = tableCells.eq(2).text();
    tableCells.eq(2).empty();
-    $('<select class="form-control" style="width: 70%;"></select>').appendTo(tableCells.eq(2)).select2({
+    $('<select class="form-control select-narrow-70"></select>').appendTo(tableCells.eq(2)).select2({
        data: recordTypes
    }).val(valueType).trigger("change");
   
--- a/lib/headers.php
+++ b/lib/headers.php
@ -0,0 +1,19 @@
+<?php
+
+/* 
+ * Copyright 2016 Lukas Metzger <developer@lukas-metzger.com>.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+Header("Content-Security-Policy: default-src 'self';");
--- a/logout.php
+++ b/logout.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
    session_destroy();
    setcookie("authSecret", "", 1, "/", "", false, true);
--- a/password.php
+++ b/password.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>
--- a/users.php
+++ b/users.php
@ -15,6 +15,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 -->
 <?php
+    require_once 'lib/headers.php';
    require_once 'lib/session.php';
 ?>
 <html>