kenmirrors/firefly-iii
1
0
Fork 0
mirror of https://github.com/firefly-iii/firefly-iii.git synced 2025-10-16 09:22:33 +00:00
Code Issues Projects Releases Wiki Activity

Strict headers and CSS nonce

Browse Source
This commit is contained in:
James Cole
2021-04-08 12:10:04 +02:00
parent e580093a34
commit 849c7dfe02
7 changed files with 15 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/Http/Middleware/SecureHeaders.php
View File

@@ -53,8 +53,9 @@ class SecureHeaders
$csp = [
"default-src 'none'",
"object-src 'self'",
sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
"style-src 'self' 'unsafe-inline'",
sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s 'strict-dynamic'", $nonce, $trackingScriptSrc),
"style-src 'unsafe-inline' 'self'",
"frame-ancestors 'none'",
"base-uri 'self'",
"font-src 'self' data:",
"connect-src 'self'",

4
resources/views/errors/404.twig
View File

@@ -8,8 +8,8 @@
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body>

4
resources/views/errors/500.twig
View File

@@ -8,8 +8,8 @@
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body>

4
resources/views/errors/503.twig
View File

@@ -8,8 +8,8 @@
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body>

4
resources/views/errors/FireflyException.twig
View File

@@ -8,8 +8,8 @@
<!-- Tell the browser to be responsive to screen width -->
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body>

4
resources/views/v2/layout/auth.twig
View File

@@ -13,8 +13,8 @@
// {{ subTitle }}
{% endif %}</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body class="hold-transition login-page">
{% block content %}{% endblock %}

4
resources/views/v2/layout/default.twig
View File

@@ -24,8 +24,8 @@
</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
<link rel="stylesheet" href="v2/css/app.css">
<link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
<link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
</head>
<body class="hold-transition sidebar-mini layout-fixed layout-navbar-fixed">
<div class="wrapper">