Adds CSP stuff. Bump to 1.2.0

Author: mmikkel

CHANGELOG.md

@@ -1,5 +1,10 @@
 # ToolMate Changelog
 
+## 1.2.0 - 2022-02-13
+### Added
+- Added `Settings::csp` for configuring the Content-Security-Policy header
+- Added the `cspNonce()` Twig function for outputting a CSP nonce attribute or value
+
 ## 1.1.0 - 2021-10-06
 
 ### Added  

README.md

@@ -60,6 +60,92 @@ If set to `0`, error response caches will be stored indefinitely.
 
 See [`craft\helpers\ConfigHelper::durationInSeconds()`](https://docs.craftcms.com/api/v3/craft-helpers-confighelper.html#method-durationinseconds) for a list of supported value types.
 
+### csp [array|null]  
+*Default `null`*  
+
+Configure the Content-Security-Policy header set by Toolmate. Some useful tips:  
+
+* Avoid using `unsafe-inline` and `unsafe-eval` policies, especially for the `script-src` directive. CSP nonces should ideally be used for inline script or style tags, see the `cspNonce()` Twig function.
+* Nonces and `unsafe-inline` cannot be combined. Toolmate works around this to avoid CSP errors, but TLDR; is that you don't need to set nonces if you're also using `unsafe-inline`.  
+* CSP nonces generated by `cspNonce()` are safe to put inside `{% cache %}` tags
+* To enable data-URLs, add a `data:` policy to the relevant directives  
+* For CP requests, Toolmate will always add the necessary `unsafe-inline` and `unsafe-eval` policies, because the CP isn't possible to use without.
+
+#### csp[enabled] [bool]  
+*Default `false`*  
+
+If set to `false`, the CSP header will not be sent for any requests.  
+
+#### csp[enabledForCp] [bool]
+*Default `false`*  
+
+If set to `false`, the CSP header will only be sent for site requests.      
+
+#### csp[reportOnly] [bool]  
+*Default `false`*  
+
+If set to `true`, the CSP header will be sent, but not enforced (i.e. dry-run mode). Useful for testing policies.  
+
+#### csp[directives] [array]
+
+See https://content-security-policy.com/, and the example config below.  
+
+### Example CSP configuration:  
+
+```php
+'csp' => [
+    'enabled' => true,
+    'enabledForCp' => false,
+    'reportOnly' => false,
+    'directives' => [
+        'defaultSrc' => [
+            "'self'",
+        ],
+        'scriptSrc' => [
+            "'self'",
+            "'unsafe-inline'",
+        ],
+        // Sources for stylesheets
+        'styleSrc' => [
+            "'self'",
+            "'unsafe-inline'",
+        ],
+        // Sources for images
+        'imgSrc' => [
+            "'self'",
+            'https://some-project.imgix.net',
+            'data:'
+        ],
+        // Sources for iframes
+        'frameSrc' => [
+            "'self'",
+            'https://www.youtube.com https://player.vimeo.com https://www.facebook.com https://www.googletagmanager.com https://bid.g.doubleclick.net',
+        ],
+        // Domains that are allowed to iframe this site
+        'frameAncestors' => [
+            "'self'",
+        ],
+        'baseUri' => [
+            "'none'",
+        ],
+        'connectSrc' => [],
+        'fontSrc' => [
+            //"'self'",
+        ],
+        'objectSrc' => [],
+        'mediaSrc' => [],
+        'sandbox' => [],
+        'reportUri' => [],
+        'childSrc' => [],
+        'formAction' => [],
+        'reportTo' => [],
+        'workerSrc' => [],
+        'manifestSrc' => [],
+        'navigateTo' => [],
+    ],
+],
+```
+
 ---
 
 ## Template variables
@@ -192,6 +278,25 @@ See `craft.toolmate.getCookie`.
 
 See `craft.toolmate.getCookie`.
 
+### cspNonce(directive, [, asAttribute = false, hash = true])  
+
+Output a CSP nonce. Example:  
+
+```twig
+<script nonce="{{ cspNonce('script-src') }}">
+   console.log('Hello world');
+</script>
+```
+
+```twig
+<style nonce="{{ cspNonce('style-src') }}">
+    body { ... }
+</style>
+```
+
+```twig
+{% js 'foo.js' with { nonce: cspNonce('script-src') } %}
+```
 
 ---
 

composer.json

@@ -2,7 +2,7 @@
     "name": "vaersaagod/toolmate",
     "description": "Is that a tool in your pocket, or are you just happy to see me, mate?",
     "type": "craft-plugin",
-    "version": "1.1.0",
+    "version": "1.2.0",
     "keywords": [
         "craft",
         "cms",

src/ToolMate.php

@@ -4,12 +4,17 @@
 
 use Craft;
 use craft\base\Plugin;
+use craft\events\TemplateEvent;
 use craft\log\FileTarget;
+use craft\web\Application;
 use craft\web\twig\variables\CraftVariable;
 
+use craft\web\View;
+use vaersaagod\toolmate\services\CspService;
 use vaersaagod\toolmate\services\EmbedService;
 use vaersaagod\toolmate\services\MinifyService;
 use vaersaagod\toolmate\services\ToolService;
+use vaersaagod\toolmate\twigextensions\CspTwigExtension;
 use vaersaagod\toolmate\variables\ToolMateVariable;
 use vaersaagod\toolmate\twigextensions\ToolMateTwigExtension;
 use vaersaagod\toolmate\models\Settings;
@@ -21,10 +26,11 @@
  * @package   PluginMate
  * @since     1.0.0
  *
- * @property  EmbedService $embed
- * @property  ToolService $tool
- * @property  Settings $settings
- * @method    Settings getSettings()
+ * @property CspService $csp
+ * @property EmbedService $embed
+ * @property ToolService $tool
+ * @property Settings $settings
+ * @method Settings getSettings()
  */
 class ToolMate extends Plugin
 {
@@ -55,6 +61,7 @@ public function init()
 
         // Register services
         $this->setComponents([
+            'csp' => CspService::class,
             'embed' => EmbedService::class,
             'tool' => ToolService::class,
             'minify' => MinifyService::class,
@@ -74,12 +81,19 @@ static function (Event $event) {
 
         // Add in our Twig extensions
         Craft::$app->view->registerTwigExtension(new ToolMateTwigExtension());
+        Craft::$app->view->registerTwigExtension(new CspTwigExtension());
 
         // Lets use our own log file
         Craft::getLogger()->dispatcher->targets[] = new FileTarget([
             'logFile' => '@storage/logs/toolmate.log',
             'categories' => ['vaersaagod\toolmate\*'],
         ]);
+
+        /**
+         * Maybe send a Content-Security-Policy header
+         */
+        $this->maybeSendCspHeader();
+
     }
 
     // Protected Methods
@@ -92,4 +106,47 @@ protected function createSettingsModel(): Settings
     {
         return new Settings();
     }
+
+    protected function maybeSendCspHeader()
+    {
+
+        $cspConfig = ToolMate::getInstance()->getSettings()->csp;
+
+        if (!$cspConfig->enabled) {
+            return;
+        }
+
+        if (Craft::$app->getRequest()->getIsCpRequest() && !$cspConfig->enabledForCp) {
+            return;
+        }
+
+        // Replace hashed CSP nonces (this gets us around the template cache)
+        Event::on(
+            View::class,
+            View::EVENT_AFTER_RENDER_PAGE_TEMPLATE,
+            static function (TemplateEvent $event) {
+                \preg_match_all('/nonce="([^"]*)"/', $event->output, $matches);
+                $hashedNonces = $matches[1] ?? [];
+                for ($i = 0; $i < \count($hashedNonces); $i += 1) {
+                    if (!$unhashedNonce = Craft::$app->getSecurity()->validateData($hashedNonces[$i])) {
+                        continue;
+                    }
+                    [0 => $directive, 1 => $nonce] = \explode(':', $unhashedNonce);
+                    if (!ToolMate::getInstance()->csp->hasNonce($directive, $nonce)) {
+                        $nonce = ToolMate::getInstance()->csp->createNonce($directive);
+                    }
+                    $event->output = \str_replace($matches[0][$i], "nonce=\"$nonce\"", $event->output);
+                }
+            }
+        );
+
+        Event::on(
+            Application::class,
+            \yii\base\Application::EVENT_AFTER_REQUEST,
+            static function (Event $event) {
+                ToolMate::getInstance()->csp->setHeader();
+            }
+        );
+
+    }
 }

src/config.php

@@ -1,8 +1,45 @@
 <?php
 
 return [
+
     'publicRoot' => '@webroot',
     'enableMinify' => true,
-    'embedCacheDuration' => null,
+    'embedCacheDuration' => null, // null means use Craft's default `cacheDuration` setting
     'embedCacheDurationOnError' => 'PT5M',
+
+    /*
+     * HTTP Content-Security-Policy header config
+     * https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
+     */
+    'csp' => [
+        'enabled' => false,
+        'enabledForCp' => false,
+        'reportOnly' => false,
+        'directives' => [
+            // https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src
+            'defaultSrc' => [],
+            'scriptSrc' => [],
+            // Sources for stylesheets
+            'styleSrc' => [],
+            // Sources for images
+            'imgSrc' => [],
+            // Sources for iframes
+            'frameSrc' => [],
+            // Domains that are allowed to iframe this site
+            'frameAncestors' => [],
+            'baseUri' => [],
+            'connectSrc' => [],
+            'fontSrc' => [],
+            'objectSrc' => [],
+            'mediaSrc' => [],
+            'sandbox' => [],
+            'reportUri' => [],
+            'childSrc' => [],
+            'formAction' => [],
+            'reportTo' => [],
+            'workerSrc' => [],
+            'manifestSrc' => [],
+            'navigateTo' => [],
+        ],
+    ],
 ];

src/models/CspConfig.php

@@ -0,0 +1,58 @@
+<?php
+
+namespace vaersaagod\toolmate\models;
+
+use craft\base\Model;
+
+/**
+ * ToolMate CspConfig Model
+ *
+ * @author    Værsågod
+ * @package   ToolMate
+ * @since     1.2.0
+ */
+class CspConfig extends Model
+{
+
+    /** @var bool */
+    public $enabled = false;
+
+    /** @var bool */
+    public $enabledForCp = false;
+
+    /** @var bool */
+    public $reportOnly = false;
+
+    /**
+     * @var CspDirectives|null
+     * @see getDirectives()
+     * @see setDirectives()
+     */
+    private $_directives;
+
+    /** @inheritdoc */
+    public function setAttributes($values, $safeOnly = true)
+    {
+        $this->setDirectives($values['directives'] ?? []);
+        unset($values['directives']);
+        parent::setAttributes($values, $safeOnly);
+    }
+
+    /**
+     * @param array $directives
+     * @return void
+     */
+    public function setDirectives(array $config = [])
+    {
+        $this->_directives = new CspDirectives($config);
+    }
+
+    public function getDirectives(): CspDirectives
+    {
+        if (!$this->_directives) {
+            $this->_directives = new CspDirectives();
+        }
+        return $this->_directives;
+    }
+
+}