From 849c7dfe02f5d93535e418c3287b736a6d9cd30a Mon Sep 17 00:00:00 2001
From: James Cole <james@firefly-iii.org>
Date: Thu, 8 Apr 2021 12:10:04 +0200
Subject: [PATCH] Strict headers and CSS nonce

---
 app/Http/Middleware/SecureHeaders.php        | 5 +++--
 resources/views/errors/404.twig              | 4 ++--
 resources/views/errors/500.twig              | 4 ++--
 resources/views/errors/503.twig              | 4 ++--
 resources/views/errors/FireflyException.twig | 4 ++--
 resources/views/v2/layout/auth.twig          | 4 ++--
 resources/views/v2/layout/default.twig       | 4 ++--
 7 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/app/Http/Middleware/SecureHeaders.php b/app/Http/Middleware/SecureHeaders.php
index 82bf301873..96a15655cd 100644
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -53,8 +53,9 @@ class SecureHeaders
         $csp               = [
             "default-src 'none'",
             "object-src 'self'",
-            sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s", $nonce, $trackingScriptSrc),
-            "style-src 'self' 'unsafe-inline'",
+            sprintf("script-src 'unsafe-inline' 'nonce-%1s' %2s 'strict-dynamic'", $nonce, $trackingScriptSrc),
+            "style-src 'unsafe-inline' 'self'",
+            "frame-ancestors 'none'",
             "base-uri 'self'",
             "font-src 'self' data:",
             "connect-src 'self'",
diff --git a/resources/views/errors/404.twig b/resources/views/errors/404.twig
index 848d6674f5..9fd4e3dc57 100644
--- a/resources/views/errors/404.twig
+++ b/resources/views/errors/404.twig
@@ -8,8 +8,8 @@
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
 
 </head>
 <body>
diff --git a/resources/views/errors/500.twig b/resources/views/errors/500.twig
index 2844d6d9a6..f51d2db4cb 100644
--- a/resources/views/errors/500.twig
+++ b/resources/views/errors/500.twig
@@ -8,8 +8,8 @@
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
 
 </head>
 <body>
diff --git a/resources/views/errors/503.twig b/resources/views/errors/503.twig
index 8d97caf90d..ca92ff26c5 100644
--- a/resources/views/errors/503.twig
+++ b/resources/views/errors/503.twig
@@ -8,8 +8,8 @@
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
 
 </head>
 <body>
diff --git a/resources/views/errors/FireflyException.twig b/resources/views/errors/FireflyException.twig
index 2844d6d9a6..f51d2db4cb 100644
--- a/resources/views/errors/FireflyException.twig
+++ b/resources/views/errors/FireflyException.twig
@@ -8,8 +8,8 @@
     <!-- Tell the browser to be responsive to screen width -->
     <meta name="viewport" content="width=device-width, initial-scale=1">
 
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
 
 </head>
 <body>
diff --git a/resources/views/v2/layout/auth.twig b/resources/views/v2/layout/auth.twig
index 1ce7466456..9cfe20eba1 100644
--- a/resources/views/v2/layout/auth.twig
+++ b/resources/views/v2/layout/auth.twig
@@ -13,8 +13,8 @@
             // {{ subTitle }}
         {% endif %}</title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css"  nonce="{{ JS_NONCE }}">
 </head>
 <body class="hold-transition login-page">
 {% block content %}{% endblock %}
diff --git a/resources/views/v2/layout/default.twig b/resources/views/v2/layout/default.twig
index dd5810df4e..d71ef40955 100644
--- a/resources/views/v2/layout/default.twig
+++ b/resources/views/v2/layout/default.twig
@@ -24,8 +24,8 @@
 
     </title>
     <meta name="viewport" content="width=device-width, initial-scale=1">
-    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css">
-    <link rel="stylesheet" href="v2/css/app.css">
+    <link rel="stylesheet" href="v2/plugins/local-fonts/gf-source.css" nonce="{{ JS_NONCE }}">
+    <link rel="stylesheet" href="v2/css/app.css" nonce="{{ JS_NONCE }}">
 </head>
 <body class="hold-transition sidebar-mini layout-fixed layout-navbar-fixed">
 <div class="wrapper">