Fix & Enable back CSP - Fixes #417

.env.example

@@ -279,7 +279,7 @@ PROXY_FOR_OUTGOING_REQUESTS=null
 # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
 # an attacker is able to inject malicious code into the web app
 
-CONTENT_SECURITY_POLICY=false
+CONTENT_SECURITY_POLICY=true
 
 
 # Leave the following configuration vars as is.

Dockerfile

@@ -242,7 +242,7 @@ ENV \
     # CSP helps to prevent or minimize the risk of certain types of security threats.
     # This is mainly used as a defense against cross-site scripting (XSS) attacks, in which
     # an attacker is able to inject malicious code into the web app
-    CONTENT_SECURITY_POLICY=false \
+    CONTENT_SECURITY_POLICY=true \
     # Leave the following configuration vars as is.
     # Unless you like to tinker and know what you're doing.
     BROADCAST_DRIVER=log \

app/Http/Middleware/AddContentSecurityPolicyHeaders.php

@@ -16,13 +16,24 @@ class AddContentSecurityPolicyHeaders
      */
     public function handle(Request $request, Closure $next) : Response
     {
-        // if (config('2fauth.config.contentSecurityPolicy')) {
-        //     Vite::useCspNonce();
+        if (config('2fauth.config.contentSecurityPolicy')) {
+            Vite::useCspNonce();
 
-        //     return $next($request)->withHeaders([
-        //         'Content-Security-Policy' => "script-src 'nonce-" . Vite::cspNonce() . "';style-src 'self' 'unsafe-inline';connect-src 'self';img-src 'self' data:;object-src 'none';",
-        //     ]);
-        // }
+            $assetUrl = config('app.asset_url') != config('app.url') ? config('app.asset_url') : '';
+
+            $directives['script-src'] = "script-src 'nonce-" . Vite::cspNonce() . "' " . $assetUrl . ";";
+            $directives['script-src-elem'] = "script-src-elem 'nonce-" . Vite::cspNonce() . "' " . $assetUrl . " 'strict-dynamic';";
+            $directives['style-src'] = "style-src 'self' " . $assetUrl . " 'unsafe-inline';";
+            $directives['connect-src'] = "connect-src 'self';";
+            $directives['img-src'] = "img-src 'self' data: " . $assetUrl . ";";
+            $directives['object-src'] = "object-src 'none';";
+
+            $csp = implode(' ', $directives);
+
+            return $next($request)->withHeaders([
+                'Content-Security-Policy' => $csp,
+            ]);
+        }
 
         return $next($request);
     }

config/2fauth.php

@@ -31,7 +31,7 @@ return [
         'proxyLogoutUrl' => env('PROXY_LOGOUT_URL', null),
         'appSubdirectory' => env('APP_SUBDIRECTORY', ''),
         'authLogRetentionTime' => envUnlessEmpty('AUTHENTICATION_LOG_RETENTION', 365),
-        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', false),
+        'contentSecurityPolicy' => envUnlessEmpty('CONTENT_SECURITY_POLICY', true),
     ],
 
     /*

resources/views/landing.blade.php

@@ -15,7 +15,7 @@
     <link rel="icon" type="image/png" href="{{ asset('favicon.png') }}" />
     <link rel="apple-touch-icon" href="{{ asset('favicon_lg.png') }}" />
     <link rel="apple-touch-icon-precomposed" href="{{ asset('favicon_lg.png') }}" />
-    <link rel="manifest" href="{{ asset('manifest.json') }}">
+    <link rel="manifest" href="manifest.json">
 
 </head>
 <body>