Add CSP sandbox

Fixes https://github.com/PrivateBin/PrivateBin/issues/168 Alos needed to run some Composer stuff, no idea why my diff was different.
7 years ago · e9b10f9e2d
parent 368aa2305b
commit e9b10f9e2d
4 changed files with 12 additions and 2 deletions
--- a/cfg/conf.ini.sample
+++ b/cfg/conf.ini.sample
@ -63,7 +63,8 @@ languageselection = false
 ; custom scripts from third-party domains to your templates, e.g. tracking
 ; scripts or run your site behind certain DDoS-protection services.
 ; Check the documentation at https://content-security-policy.com/
-; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;"
+; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups"

 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@ -51,7 +51,7 @@ class Configuration
            'languagedefault'          => '',
            'urlshortener'             => '',
            'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer;',
+            'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups',
            'zerobincompatibility'     => false,
        ),
        'expire' => array(
--- a/vendor/composer/autoload_psr4.php
+++ b/vendor/composer/autoload_psr4.php
@ -7,4 +7,5 @@ $baseDir = dirname($vendorDir);

 return array(
    'PrivateBin\\' => array($baseDir . '/lib'),
+    'CodeClimate\\PhpTestReporter\\' => array($vendorDir . '/codeclimate/php-test-reporter/src'),
 );
--- a/vendor/composer/autoload_static.php
+++ b/vendor/composer/autoload_static.php
@ -15,6 +15,10 @@ class ComposerStaticInitDontChange
        array (
            'PrivateBin\\' => 11,
        ),
+        'C' => 
+        array (
+            'CodeClimate\\PhpTestReporter\\' => 28,
+        ),
    );

    public static $prefixDirsPsr4 = array (
@ -22,6 +26,10 @@ class ComposerStaticInitDontChange
        array (
            0 => __DIR__ . '/../..' . '/lib',
        ),
+        'CodeClimate\\PhpTestReporter\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/codeclimate/php-test-reporter/src',
+        ),
    );

    public static $prefixesPsr0 = array (