diff --git a/Application/views/admin/de/security_lang.php b/Application/views/admin/de/security_lang.php index 24a438c..944bfe9 100755 --- a/Application/views/admin/de/security_lang.php +++ b/Application/views/admin/de/security_lang.php @@ -27,6 +27,21 @@ 'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Part 12", 'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Part 13", 'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Part 14", + + 'SHOP_MODULE_rs-security_Content-Security-Policy_01_domains' => "Part 1 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_02_domains' => "Part 2 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_03_domains' => "Part 3 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_04_domains' => "Part 4 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_05_domains' => "Part 5 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_06_domains' => "Part 6 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_07_domains' => "Part 7 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_08_domains' => "Part 8 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_09_domains' => "Part 9 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_10_domains' => "Part 10 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_11_domains' => "Part 11 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_12_domains' => "Part 12 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_13_domains' => "Part 13 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_14_domains' => "Part 14 (domains, one per line)", 'SHOP_MODULE_GROUP_rs-security_X-Content-Type-Options' => 'Header X-Content-Type-Options', 'SHOP_MODULE_rs-security_X-Content-Type-Options_enabled' => 'Enabled?', diff --git a/Application/views/admin/en/security_lang.php b/Application/views/admin/en/security_lang.php index 03581ea..b45227a 100755 --- a/Application/views/admin/en/security_lang.php +++ b/Application/views/admin/en/security_lang.php @@ -24,6 +24,20 @@ 'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Part 12", 'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Part 13", 'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Part 14", + 'SHOP_MODULE_rs-security_Content-Security-Policy_01_domains' => "Part 1 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_02_domains' => "Part 2 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_03_domains' => "Part 3 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_04_domains' => "Part 4 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_05_domains' => "Part 5 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_06_domains' => "Part 6 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_07_domains' => "Part 7 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_08_domains' => "Part 8 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_09_domains' => "Part 9 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_10_domains' => "Part 10 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_11_domains' => "Part 11 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_12_domains' => "Part 12 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_13_domains' => "Part 13 (domains, one per line)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_14_domains' => "Part 14 (domains, one per line)", 'SHOP_MODULE_GROUP_rs-security_X-Content-Type-Options' => 'Header X-Content-Type-Options', 'SHOP_MODULE_rs-security_X-Content-Type-Options_enabled' => 'Enabled?', 'SHOP_MODULE_rs-security_X-Content-Type-Options' => 'Default: nosniff', diff --git a/Core/Output.php b/Core/Output.php index 953d087..1ab960d 100755 --- a/Core/Output.php +++ b/Core/Output.php @@ -45,9 +45,13 @@ public function sendHeaders() for($x=1;$x<15;$x++) { $sValue = 'rs-security_'.$sHeader.'_'.str_pad($x,2,'0',STR_PAD_LEFT); + $sValueDomains = 'rs-security_'.$sHeader.'_'.str_pad($x,2,'0',STR_PAD_LEFT)."_domains"; $sValue = trim($oConfig->getConfigParam($sValue)); + $aValueDomains = $oConfig->getConfigParam($sValueDomains); if($sValue && $sValue!=="") - $aValues[]=$sValue; + { + $aValues[]=$sValue." ".implode(" ",$aValueDomains); + } } if(!empty($aValues)) { diff --git a/Core/UtilsServer.php b/Core/UtilsServer.php index 82cf02d..c10a0ad 100644 --- a/Core/UtilsServer.php +++ b/Core/UtilsServer.php @@ -8,7 +8,7 @@ class UtilsServer extends UtilsServer_parent protected function _rs_security__getCookieSameSite() { $oConfig = $this->getConfig(); - if (!$this->_rs_security__isSecure()) return ""; + //if (!$this->_rs_security__isSecure()) return ""; $sSameSite = ""; if ((bool) $oConfig->getConfigParam('rs-security_cookie_SameSite_enabled', diff --git a/metadata.php b/metadata.php index f2ae155..6085b33 100755 --- a/metadata.php +++ b/metadata.php @@ -49,41 +49,100 @@ 'type' => 'str', 'value' => "default-src 'self' https:", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_01_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_02', 'type' => 'str', 'value' => "object-src 'none'", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_02_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_03', 'type' => 'str', - 'value' => "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", + 'value' => "style-src 'self' 'unsafe-inline'", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_03_domains', + 'type' => 'arr', + 'value' => [ + 'https://fonts.googleapis.com' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_04', 'type' => 'str', - 'value' => "font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com", + 'value' => "font-src 'self' data:", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_04_domains', + 'type' => 'arr', + 'value' => [ + 'https://fonts.googleapis.com', + 'https://fonts.gstatic.com' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_05', 'type' => 'str', - 'value' => "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com", + 'value' => "script-src 'self' 'unsafe-inline' 'unsafe-eval'", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_05_domains', + 'type' => 'arr', + 'value' => [ + 'https://www.paypal.com/paymentwall/payment-selection', + 'https://www.paypalobjects.com https://www.google-analytics.com' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_06', 'type' => 'str', - 'value' => "img-src 'self' data: https://www.google.com https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net", + 'value' => "img-src 'self' data:", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_06_domains', + 'type' => 'arr', + 'value' => [ + 'https://www.google.com', + 'https://www.google-analytics.com', + 'www.google-analytics.com', + 'https://stats.g.doubleclick.net' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_07', 'type' => 'str', - 'value' => "connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net", + 'value' => "connect-src 'self'", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_07_domains', + 'type' => 'arr', + 'value' => [ + 'https://www.google-analytics.com', + 'www.google-analytics.com', + 'https://stats.g.doubleclick.net' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', @@ -91,11 +150,25 @@ 'type' => 'str', 'value' => "frame-ancestors 'self'", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_08_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_09', 'type' => 'str', - 'value' => "form-action 'self' https://www.paypal.com/paymentwall/payment-selection", + 'value' => "form-action 'self'", + ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_09_domains', + 'type' => 'arr', + 'value' => [ + 'https://www.paypal.com/paymentwall/payment-selection' + ], ), array( 'group' => 'rs-security_Content-Security-Policy', @@ -103,31 +176,60 @@ 'type' => 'str', 'value' => "base-uri 'self'", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_10_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_11', 'type' => 'str', 'value' => "", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_11_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_12', 'type' => 'str', 'value' => "", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_12_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_13', 'type' => 'str', 'value' => "", ), + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_13_domains', + 'type' => 'arr', + 'value' => [], + ), array( 'group' => 'rs-security_Content-Security-Policy', 'name' => 'rs-security_Content-Security-Policy_14', 'type' => 'str', 'value' => "", ), - + array( + 'group' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_14_domains', + 'type' => 'arr', + 'value' => [], + ), /* ----- */ array( 'group' => 'rs-security_X-Content-Type-Options',