From e9b10f9e2daa2c0e69f39ca5af8ebf4585337dbb Mon Sep 17 00:00:00 2001
From: rugk <rugk@posteo.de>
Date: Wed, 1 Feb 2017 18:34:13 +0100
Subject: [PATCH] Add CSP sandbox

Fixes https://github.com/PrivateBin/PrivateBin/issues/168

Alos needed to run some Composer stuff, no idea why my diff was different.
---
 cfg/conf.ini.sample                 | 3 ++-
 lib/Configuration.php               | 2 +-
 vendor/composer/autoload_psr4.php   | 1 +
 vendor/composer/autoload_static.php | 8 ++++++++
 4 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/cfg/conf.ini.sample b/cfg/conf.ini.sample
index 1343df0..0d251c1 100644
--- a/cfg/conf.ini.sample
+++ b/cfg/conf.ini.sample
@@ -63,7 +63,8 @@ languageselection = false
 ; custom scripts from third-party domains to your templates, e.g. tracking
 ; scripts or run your site behind certain DDoS-protection services.
 ; Check the documentation at https://content-security-policy.com/
-; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer;"
+; Note: If you use a bootstrap theme, you can remove the allow-popups from the sandbox restrictions.
+; cspheader = "default-src 'none'; manifest-src 'self'; connect-src *; script-src 'self'; style-src 'self'; font-src 'self'; img-src 'self' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups"
 
 ; stay compatible with PrivateBin Alpha 0.19, less secure
 ; if enabled will use base64.js version 1.7 instead of 2.1.9 and sha1 instead of
diff --git a/lib/Configuration.php b/lib/Configuration.php
index 800ea75..4130a22 100644
--- a/lib/Configuration.php
+++ b/lib/Configuration.php
@@ -51,7 +51,7 @@ class Configuration
             'languagedefault'          => '',
             'urlshortener'             => '',
             'icon'                     => 'identicon',
-            'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer;',
+            'cspheader'                => 'default-src \'none\'; manifest-src \'self\'; connect-src *; script-src \'self\'; style-src \'self\'; font-src \'self\'; img-src \'self\' data:; referrer no-referrer; sandbox allow-same-origin allow-scripts allow-forms allow-popups',
             'zerobincompatibility'     => false,
         ),
         'expire' => array(
diff --git a/vendor/composer/autoload_psr4.php b/vendor/composer/autoload_psr4.php
index 26f0ced..1bddfbd 100644
--- a/vendor/composer/autoload_psr4.php
+++ b/vendor/composer/autoload_psr4.php
@@ -7,4 +7,5 @@ $baseDir = dirname($vendorDir);
 
 return array(
     'PrivateBin\\' => array($baseDir . '/lib'),
+    'CodeClimate\\PhpTestReporter\\' => array($vendorDir . '/codeclimate/php-test-reporter/src'),
 );
diff --git a/vendor/composer/autoload_static.php b/vendor/composer/autoload_static.php
index 001a248..81b8716 100644
--- a/vendor/composer/autoload_static.php
+++ b/vendor/composer/autoload_static.php
@@ -15,6 +15,10 @@ class ComposerStaticInitDontChange
         array (
             'PrivateBin\\' => 11,
         ),
+        'C' => 
+        array (
+            'CodeClimate\\PhpTestReporter\\' => 28,
+        ),
     );
 
     public static $prefixDirsPsr4 = array (
@@ -22,6 +26,10 @@ class ComposerStaticInitDontChange
         array (
             0 => __DIR__ . '/../..' . '/lib',
         ),
+        'CodeClimate\\PhpTestReporter\\' => 
+        array (
+            0 => __DIR__ . '/..' . '/codeclimate/php-test-reporter/src',
+        ),
     );
 
     public static $prefixesPsr0 = array (