Skip to content

Commit

Permalink
split header up into smaller parts
Browse files Browse the repository at this point in the history
  • Loading branch information
@ThomasJanda
ThomasJanda committed May 19, 2020
1 parent cc07ec4 commit 6627c18
Show file tree
Hide file tree
Showing 4 changed files with 127 additions and 5 deletions.
15 changes: 14 additions & 1 deletion Application/views/admin/de/security_lang.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,20 @@

'SHOP_MODULE_GROUP_rs-security_main' => 'Standard headers',
'SHOP_MODULE_rs-security_Strict-Transport-Security' => 'Strict-Transport-Security (Default: max-age=63072000; includeSubDomains; preload)',
'SHOP_MODULE_rs-security_Content-Security-Policy' => "Content-Security-Policy (Default: default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';)",
'SHOP_MODULE_rs-security_Content-Security-Policy_01' => "Content-Security-Policy part 1 (Default: default-src 'self' https:)",
'SHOP_MODULE_rs-security_Content-Security-Policy_02' => "Content-Security-Policy part 2 (Default: object-src 'none')",
'SHOP_MODULE_rs-security_Content-Security-Policy_03' => "Content-Security-Policy part 3 (Default: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_04' => "Content-Security-Policy part 4 (Default: font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_05' => "Content-Security-Policy part 5 (Default: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_06' => "Content-Security-Policy part 6 (Default: img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)",
'SHOP_MODULE_rs-security_Content-Security-Policy_07' => "Content-Security-Policy part 7 (Default: connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)",
'SHOP_MODULE_rs-security_Content-Security-Policy_08' => "Content-Security-Policy part 8 (Default: frame-ancestors 'self')",
'SHOP_MODULE_rs-security_Content-Security-Policy_09' => "Content-Security-Policy part 9 (Default: form-action 'self' https://www.paypal.com/paymentwall/payment-selection)",
'SHOP_MODULE_rs-security_Content-Security-Policy_10' => "Content-Security-Policy part 10 (Default: base-uri 'self')",
'SHOP_MODULE_rs-security_Content-Security-Policy_11' => "Content-Security-Policy part 11",
'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Content-Security-Policy part 12",
'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Content-Security-Policy part 13",
'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Content-Security-Policy part 14",
'SHOP_MODULE_rs-security_X-Content-Type-Options' => 'X-Content-Type-Options (Default: nosniff)',
'SHOP_MODULE_rs-security_X-Frame-Options' => 'X-Frame-Options (Default: SAMEORIGIN)',
'SHOP_MODULE_rs-security_X-XSS-Protection' => 'X-XSS-Protection (Default: 1; mode=block)',
Expand Down
15 changes: 14 additions & 1 deletion Application/views/admin/en/security_lang.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,20 @@

'SHOP_MODULE_GROUP_rs-security_main' => 'Standard headers',
'SHOP_MODULE_rs-security_Strict-Transport-Security' => 'Strict-Transport-Security (Default: max-age=63072000; includeSubDomains; preload)',
'SHOP_MODULE_rs-security_Content-Security-Policy' => "Content-Security-Policy (Default: default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';)",
'SHOP_MODULE_rs-security_Content-Security-Policy_01' => "Content-Security-Policy part 1 (Default: default-src 'self' https:)",
'SHOP_MODULE_rs-security_Content-Security-Policy_02' => "Content-Security-Policy part 2 (Default: object-src 'none')",
'SHOP_MODULE_rs-security_Content-Security-Policy_03' => "Content-Security-Policy part 3 (Default: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_04' => "Content-Security-Policy part 4 (Default: font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_05' => "Content-Security-Policy part 5 (Default: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com)",
'SHOP_MODULE_rs-security_Content-Security-Policy_06' => "Content-Security-Policy part 6 (Default: img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)",
'SHOP_MODULE_rs-security_Content-Security-Policy_07' => "Content-Security-Policy part 7 (Default: connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)",
'SHOP_MODULE_rs-security_Content-Security-Policy_08' => "Content-Security-Policy part 8 (Default: frame-ancestors 'self')",
'SHOP_MODULE_rs-security_Content-Security-Policy_09' => "Content-Security-Policy part 9 (Default: form-action 'self' https://www.paypal.com/paymentwall/payment-selection)",
'SHOP_MODULE_rs-security_Content-Security-Policy_10' => "Content-Security-Policy part 10 (Default: base-uri 'self')",
'SHOP_MODULE_rs-security_Content-Security-Policy_11' => "Content-Security-Policy part 11",
'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Content-Security-Policy part 12",
'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Content-Security-Policy part 13",
'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Content-Security-Policy part 14",
'SHOP_MODULE_rs-security_X-Content-Type-Options' => 'X-Content-Type-Options (Default: nosniff)',
'SHOP_MODULE_rs-security_X-Frame-Options' => 'X-Frame-Options (Default: SAMEORIGIN)',
'SHOP_MODULE_rs-security_X-XSS-Protection' => 'X-XSS-Protection (Default: 1; mode=block)',
Expand Down
16 changes: 15 additions & 1 deletion Core/Output.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,6 @@ public function sendHeaders()
//Standard
$aHeaders = [
'Strict-Transport-Security',
'Content-Security-Policy',
'X-Content-Type-Options',
'X-Frame-Options',
'X-XSS-Protection',
Expand All @@ -35,6 +34,21 @@ public function sendHeaders()
\OxidEsales\Eshop\Core\Registry::getUtils()->setHeader($sHeader.":".$sValue);
}

$sHeader = "Content-Security-Policy";
$aValues = [];
for($x=1;$x<15;$x++)
{
$sValue = 'rs-security_'.$sHeader.'_'.str_pad($x,2,'0',STR_PAD_LEFT);
$sValue = trim($oConfig->getConfigParam($sValue));
if($sValue && $sValue!=="")
$aValues[]=$sValue;
}
if(!empty($aValues))
{
$sValue = implode(" ; ",$aValues)." ;";
\OxidEsales\Eshop\Core\Registry::getUtils()->setHeader($sHeader.":".$sValue);
}

//Additional
$aHeaders = [
'1',
Expand Down
86 changes: 84 additions & 2 deletions metadata.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,12 +26,94 @@
'type' => 'str',
'value' => 'max-age=63072000; includeSubDomains; preload',
),


array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_01',
'type' => 'str',
'value' => "default-src 'self' https:",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_02',
'type' => 'str',
'value' => "object-src 'none'",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_03',
'type' => 'str',
'value' => "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_04',
'type' => 'str',
'value' => "font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_05',
'type' => 'str',
'value' => "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_06',
'type' => 'str',
'value' => "img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_07',
'type' => 'str',
'value' => "connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_08',
'type' => 'str',
'value' => "frame-ancestors 'self'",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_09',
'type' => 'str',
'value' => "form-action 'self' https://www.paypal.com/paymentwall/payment-selection",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_10',
'type' => 'str',
'value' => "base-uri 'self'",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy',
'name' => 'rs-security_Content-Security-Policy_11',
'type' => 'str',
'value' => "default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';",
'value' => "",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_12',
'type' => 'str',
'value' => "",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_13',
'type' => 'str',
'value' => "",
),
array(
'group' => 'rs-security_main',
'name' => 'rs-security_Content-Security-Policy_14',
'type' => 'str',
'value' => "",
),


array(
'group' => 'rs-security_main',
'name' => 'rs-security_X-Content-Type-Options',
Expand Down

0 comments on commit 6627c18

Please sign in to comment.