apply csp almost everywhere

2018-05-07 19:21:33 +02:00 · 2018-05-07 19:21:33 +02:00 · a9403f93f8
parent f1b021d770
commit a9403f93f8
11 changed files with 26 additions and 12 deletions
--- a/app/controllers/Tv.scala
+++ b/app/controllers/Tv.scala
@ -92,7 +92,7 @@ object Tv extends LilaController {
    } as JAVASCRIPT withHeaders (CACHE_CONTROL -> "max-age=86400")
  }

-  def frame = Action.async { req =>
+  def frame = Action.async { implicit req =>
    Env.tv.tv.getBestGame map {
      case None => NotFound
      case Some(game) => Ok(views.html.tv.embed(
--- a/app/templating/AssetHelper.scala
+++ b/app/templating/AssetHelper.scala
@ -2,6 +2,7 @@ package lila.app
 package templating

 import controllers.routes
+import play.api.mvc.RequestHeader
 import play.twirl.api.Html

 import lila.api.Context
@ -86,9 +87,9 @@ trait AssetHelper { self: I18nHelper =>
      s"""<script src="$local"></script>"""
  }

-  def defaultCsp(implicit ctx: Context): ContentSecurityPolicy = {
-    val assets = if (ctx.req.secure) "https://" + assetDomain else assetDomain
-    val socket = (if (ctx.req.secure) "wss://" else "ws://") + socketDomain
+  def basicCsp(implicit req: RequestHeader): ContentSecurityPolicy = {
+    val assets = if (req.secure) "https://" + assetDomain else assetDomain
+    val socket = (if (req.secure) "wss://" else "ws://") + socketDomain
    ContentSecurityPolicy(
      defaultSrc = List("'self'", assets),
      connectSrc = List("'self'", assets, socket, lila.api.Env.current.ExplorerEndpoint, lila.api.Env.current.TablebaseEndpoint),
@ -96,10 +97,15 @@ trait AssetHelper { self: I18nHelper =>
      fontSrc = List("'self'", assetDomain, "https://fonts.gstatic.com"),
      childSrc = List("'self'", "https://youtube.com"),
      imgSrc = List("data:", "*"),
-      scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com", ctx.nonce.scriptSrc)
+      scriptSrc = List("'self'", assets, "https://cdnjs.cloudflare.com")
    )
  }

+  def defaultCsp(implicit ctx: Context): ContentSecurityPolicy = {
+    implicit val req = ctx.req
+    basicCsp.withScriptSrc(ctx.nonce.scriptSrc)
+  }
+
  def embedJsUnsafe(js: String)(implicit ctx: Context): Html = Html {
    s"""<script nonce="${ctx.nonce}">$js</script>"""
  }
--- a/app/views/analyse/embedNotFound.scala.html
+++ b/app/views/analyse/embedNotFound.scala.html
@ -4,8 +4,9 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="@defaultCsp">
    <title>404 - Game not found</title>
-    <link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet' type='text/css'>
+    <link href="http://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet" type="text/css">
    @ctx.currentBg match {
    case "dark" => { @cssTag("dark.css") }
    case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
--- a/app/views/base/layout.scala.html
+++ b/app/views/base/layout.scala.html
@ -24,8 +24,8 @@ csp: Option[String] = None)(body: Html)(implicit ctx: Context)
    <meta http-equiv="Content-Security-Policy" content="@csp.getOrElse(defaultCsp)">
    @if(isProd) {
    <title>@fullTitle.getOrElse{@title • lichess.org}</title>
-    <link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
-    <link href="//fonts.googleapis.com/css?family=Roboto+Mono:500&text=0123456789:." rel="stylesheet">
+    <link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
+    <link href="https://fonts.googleapis.com/css?family=Roboto+Mono:500&text=0123456789:." rel="stylesheet">
    } else {
    <title>[dev] @fullTitle.getOrElse{@title • lichess.org}</title>
    @cssAt("offline/font.noto.css")
--- a/app/views/puzzle/embed.scala.html
+++ b/app/views/puzzle/embed.scala.html
@ -4,6 +4,7 @@
 <html lang="@lang.language">
  <head>
    <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="@defaultCsp">
    <title>lichess.org training</title>
    @ctx.currentBg match {
    case "dark" => { @cssTag("dark.css") }
--- a/app/views/site/api.scala.html
+++ b/app/views/site/api.scala.html
@ -3,6 +3,7 @@
 <html>
  <head>
    <meta charset="utf-8"/>
+    <meta http-equiv="Content-Security-Policy" content="default-src 'self'; style-src https://fonts.googleapis.com 'unsafe-inline'; font-src https://fonts.gstatic.com; script-src https://cdn.jsdelivr.net blob:; connect-src https://raw.githubusercontent.com; img-src data: https://lichess1.org;">
    <title>Lichess HTTP API documentation</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link href="https://fonts.googleapis.com/css?family=Montserrat:300,400,700|Roboto:300,400,700" rel="stylesheet">
--- a/app/views/study/embed.scala.html
+++ b/app/views/study/embed.scala.html
@ -4,8 +4,9 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="@defaultCsp">
    <title>@s.name: @chapter.name</title>
-    <link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
+    <link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
    @ctx.currentBg match {
    case "dark" => { @cssTag("dark.css") }
    case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
--- a/app/views/study/embedNotFound.scala.html
+++ b/app/views/study/embedNotFound.scala.html
@ -4,8 +4,9 @@
 <html>
  <head>
    <meta charset="utf-8">
+    <meta http-equiv="Content-Security-Policy" content="@defaultCsp">
    <title>404 - Study not available</title>
-    <link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet' type='text/css'>
+    <link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet" type="text/css">
    @ctx.currentBg match {
    case "dark" => { @cssTag("dark.css") }
    case "transp" => { @cssTag("dark.css")@cssTag("transp.css") }
--- a/app/views/tv/embed.scala.html
+++ b/app/views/tv/embed.scala.html
@ -1,9 +1,10 @@
-@(pov: Pov, bg: String, theme: String, assetVersion: lila.common.AssetVersion)
+@(pov: Pov, bg: String, theme: String, assetVersion: lila.common.AssetVersion)(implicit req: RequestHeader)

 <!doctype html>
 <html>
  <head>
    <meta charset="utf-8">
+    <meta name="Content-Security-Policy" content="@basicCsp">
    <title>lichess.org TV</title>
    @if(bg == "dark") {
    @cssAt("stylesheets/dark.css", true, assetVersion)
--- a/modules/common/src/main/ContentSecurityPolicy.scala
+++ b/modules/common/src/main/ContentSecurityPolicy.scala
@ -10,6 +10,8 @@ case class ContentSecurityPolicy(
    scriptSrc: List[String]
 ) {

+  def withScriptSrc(source: String) = copy(scriptSrc = source :: scriptSrc)
+
  override def toString: String =
    List(
      "default-src " -> defaultSrc,
--- a/public/oops/scheduled-maintenance.html
+++ b/public/oops/scheduled-maintenance.html
@ -22,7 +22,7 @@
      .game { margin-bottom: 2em; }
    </style>
    <meta content="noindex, nofollow" name="robots">
-    <link href='//fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300' rel='stylesheet'>
+    <link href="https://fonts.googleapis.com/css?family=Noto+Sans:400,700|Roboto:300" rel="stylesheet">
  </head>
  <body>
    <h1>lichess.org</h1>