Code for #2920

2025-09-30 18:41:08 +00:00 · 2020-01-04 11:00:44 +01:00
parent cb575f3200
commit d83d8d3f97
12 changed files with 42 additions and 38 deletions
--- a/app/Http/Middleware/SecureHeaders.php
+++ b/app/Http/Middleware/SecureHeaders.php
@@ -34,20 +34,24 @@ use Illuminate\Support\Str;
 class SecureHeaders
 {
    /**
-     * Handle an incoming request. May not be a limited user (ie. Sandstorm env. or demo user).
+     * Handle an incoming request.
     *
     * @param \Illuminate\Http\Request $request
-     * @param \Closure $next
+     * @param \Closure                 $next
     *
     * @return mixed
     * @throws \Exception
     */
    public function handle(Request $request, Closure $next)
    {
        $nonce = base64_encode(random_bytes(16));
        app('view')->share('JS_NONCE', $nonce);
        $response    = $next($request);
        $google      = '';
        $googleImg   = '';
        $analyticsId = config('firefly.analytics_id');
-        $token       = Str::random(16);
+
        if ('' !== $analyticsId) {
            $google    = 'www.googletagmanager.com/gtag/js https://www.google-analytics.com/analytics.js'; // @codeCoverageIgnore
            $googleImg = 'https://www.google-analytics.com/';
@@ -55,7 +59,7 @@ class SecureHeaders
        $csp = [
            "default-src 'none'",
            "object-src 'self'",
-            sprintf("script-src 'self' 'unsafe-inline' %s", $google),
+            sprintf("script-src 'nonce-%s' %s", $nonce, $google),
            "style-src 'self' 'unsafe-inline'",
            "base-uri 'self'",
            "font-src 'self' data:",
--- a/resources/views/v1/accounts/create.twig
+++ b/resources/views/v1/accounts/create.twig
@@ -4,7 +4,7 @@
 {% endblock %}
 {% block content %}
    <!-- set location data high up -->
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var locations = {{ locations|json_encode|raw }};
        var mapboxToken = "{{ config('firefly.mapbox_api_key') }}";
    </script>
--- a/resources/views/v1/accounts/edit.twig
+++ b/resources/views/v1/accounts/edit.twig
@@ -6,7 +6,7 @@
 {% block content %}
    <!-- set location data high up -->
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var locations = {{ locations|json_encode|raw }};
        var mapboxToken = "{{ config('firefly.mapbox_api_key') }}";
    </script>
--- a/resources/views/v1/accounts/index.twig
+++ b/resources/views/v1/accounts/index.twig
@@ -75,7 +75,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var objectType = '{{ objectType|escape }}';
    </script>
    <script type="text/javascript" src="v1/js/lib/bootstrap-sortable.js?v={{ FF_VERSION }}"></script>
--- a/resources/views/v1/accounts/reconcile/edit.twig
+++ b/resources/views/v1/accounts/reconcile/edit.twig
@@ -93,7 +93,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var what = "{{ what }}";
    </script>
    <script type="text/javascript" src="v1/js/lib/typeahead/typeahead.bundle.min.js?v={{ FF_VERSION }}"></script>
--- a/resources/views/v1/accounts/reconcile/index.twig
+++ b/resources/views/v1/accounts/reconcile/index.twig
@@ -126,7 +126,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        currencySymbol = "{{ currency.symbol }}";
        var accountID = {{ account.id }};
        var startBalance = {{ startBalance }};
@@ -135,5 +135,5 @@
        var overviewUri = '{{ overviewUri }}';
        var indexUri = '{{ indexUri }}';
    </script>
-    <script src="v1/js/ff/accounts/reconcile.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+    <script src="v1/js/ff/accounts/reconcile.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
--- a/resources/views/v1/accounts/show.twig
+++ b/resources/views/v1/accounts/show.twig
@@ -156,7 +156,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        // location stuff
        {% if location %}
--- a/resources/views/v1/admin/update/index.twig
+++ b/resources/views/v1/admin/update/index.twig
@@ -68,8 +68,8 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var updateCheckUri = '{{ route('admin.update-check.manual') }}';
    </script>
-    <script type="text/javascript" src="v1/js/ff/admin/update/index.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/admin/update/index.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
--- a/resources/views/v1/bills/index.twig
+++ b/resources/views/v1/bills/index.twig
@@ -42,7 +42,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var start = '2018-01-01';
        var end = '2018-01-31';
    </script>
--- a/resources/views/v1/bills/show.twig
+++ b/resources/views/v1/bills/show.twig
@@ -177,7 +177,7 @@
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var billCurrencySymbol = "{{ object.data.currency.symbol }}";
        var billUri = '{{ route('chart.bill.single', [object.data.id]) }}';
    </script>
--- a/resources/views/v1/index.twig
+++ b/resources/views/v1/index.twig
@@ -154,7 +154,7 @@
    </div>
 {% endblock %}
 {% block scripts %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var billCount = {{ billCount }};
        var accountFrontpageUri = '{{ route('chart.account.frontpage') }}';
        var accountRevenueUri = '{{ route('chart.account.revenue') }}';
@@ -167,11 +167,11 @@
        {% endif %}
    </script>
-    <script type="text/javascript" src="v1/js/lib/Chart.bundle.min.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/lib/Chart.bundle.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" src="v1/js/lib/chartjs-plugin-annotation.min.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/lib/chartjs-plugin-annotation.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" src="v1/js/ff/charts.defaults.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/charts.defaults.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" src="v1/js/ff/charts.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/charts.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" src="v1/js/ff/index.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/index.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endblock %}
 {% block styles %}
 {% endblock %}
--- a/resources/views/v1/layout/default.twig
+++ b/resources/views/v1/layout/default.twig
@@ -41,13 +41,13 @@
    {# Any local custom CSS.  #}
    {% block styles %}{% endblock %}
    <!--[if lt IE 9]>
-    <script src="v1/js/lib/html5shiv.min.js?v={{ FF_VERSION }}"></script>
+    <script src="v1/js/lib/html5shiv.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script src="v1/js/lib/respond.min.js?v={{ FF_VERSION }}"></script>
+    <script src="v1/js/lib/respond.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
    <![endif]-->
    {# this entry is in the header so it's loaded early #}
    {# SHA256: C45493A8175B10AC47EEDFC7C20AC31FAE5C804FB6C4F75468DB0F95112664BF #}
-    <script type="text/javascript">var forceDemoOff = false;</script>
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">var forceDemoOff = false;</script>
    {# favicons #}
    {% include('partials.favicons') %}
@@ -176,31 +176,31 @@
 {# Java libraries and stuff: #}
 {# Moment JS #}
-<script src="v1/js/lib/moment.min.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/lib/moment.min.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
-<script src="v1/js/ff/moment/{{ language }}.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/ff/moment/{{ language }}.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 {# All kinds of variables. #}
-<script src="{{ route('javascript.variables') }}?ext=.js&amp;v={{ FF_VERSION }}{% if account %}&amp;account={{ account.id }}{% endif %}" type="text/javascript"></script>
+<script src="{{ route('javascript.variables') }}?ext=.js&amp;v={{ FF_VERSION }}{% if account %}&amp;account={{ account.id }}{% endif %}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 {# big fat JS thing courtesy of Vue#}
-<script src="v1/js/{{ VUE_SCRIPT_NAME|default('app') }}.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/{{ VUE_SCRIPT_NAME|default('app') }}.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
 {# date range picker, current template, etc.#}
-<script src="v1/js/lib/daterangepicker.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/js/lib/daterangepicker.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
-<script src="v1/lib/adminlte/js/adminlte.min.js?v={{ FF_VERSION }}" type="text/javascript"></script>
+<script src="v1/lib/adminlte/js/adminlte.min.js?v={{ FF_VERSION }}" type="text/javascript" nonce="{{ JS_NONCE }}"></script>
-<script type="text/javascript" src="v1/js/lib/accounting.min.js?v={{ FF_VERSION }}"></script>
+<script type="text/javascript" src="v1/js/lib/accounting.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {# Firefly III code#}
-<script type="text/javascript" src="v1/js/ff/firefly.js?v={{ FF_VERSION }}"></script>
+<script type="text/javascript" src="v1/js/ff/firefly.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-<script type="text/javascript" src="v1/js/ff/help.js?v={{ FF_VERSION }}"></script>
+<script type="text/javascript" src="v1/js/ff/help.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% if not shownDemo %}
-    <script type="text/javascript">
+    <script type="text/javascript" nonce="{{ JS_NONCE }}">
        var routeForTour = "{{ current_route_name }}";
        var routeStepsUri = "{{ route('json.intro', [current_route_name, objectType|default("")]) }}";
        var routeForFinishedTour = "{{ route('json.intro.finished', [current_route_name, objectType|default("")]) }}";
    </script>
-    <script type="text/javascript" src="v1/lib/intro/intro.min.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/lib/intro/intro.min.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
-    <script type="text/javascript" src="v1/js/ff/intro/intro.js?v={{ FF_VERSION }}"></script>
+    <script type="text/javascript" src="v1/js/ff/intro/intro.js?v={{ FF_VERSION }}" nonce="{{ JS_NONCE }}"></script>
 {% endif %}
 {% block scripts %}{% endblock %}
@@ -208,8 +208,8 @@
    <!-- Global site tag (gtag.js) - Google Analytics -->
    <!-- This tag is only here because this instance of Firefly III was purposefully configured to include it -->
    <!-- Your own installation will NOT include it -->
-    <script async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}"></script>
+    <script async src="https://www.googletagmanager.com/gtag/js?id={{ config('firefly.analytics_id')  }}" nonce="{{ JS_NONCE }}"></script>
-    <script>
+    <script nonce="{{ JS_NONCE }}">
        window.dataLayer = window.dataLayer || [];
        function gtag(){dataLayer.push(arguments);}
        gtag('js', new Date());