added proper nonces implementation

Signed-off-by: Bruno Meilick <b@bnomei.com>
bnomei · Aug 3, 2018 · 6789092 · 6789092
1 parent 4e9f67e
commit 6789092
Show file tree

Hide file tree

Showing 4 changed files with 29 additions and 3 deletions.
diff --git a/classes/securityheaders.php b/classes/securityheaders.php
@@ -28,6 +28,17 @@ public static function headers($headers)
         }
     }
 
+    private static $nonces = null;
+    public static function nonce($string, $value = null) {
+        if(!static::$nonces) {
+            static::$nonces = [];
+        }
+        if($value && is_string($value)) {
+            static::$nonces[$string] = $value;
+        }
+        return \Kirby\Toolkit\A::get(static::$nonces, $string);
+    }
+
     private static function isWebpack()
     {
         return !!(

diff --git a/composer.json b/composer.json
@@ -1,7 +1,7 @@
 {
     "name": "bnomei/kirby3-security-headers",
     "type": "plugin",
-    "version": "0.5.6",
+    "version": "0.5.7",
     "license": "MIT",
     "description": "Kirby 3 Plugin for easier Security Headers setup",
     "autoload": {

diff --git a/config.php b/config.php
@@ -16,5 +16,14 @@
     ],
     'snippets' => [
         'plugin-securityheaders' => __DIR__ . '/snippets/securityheaders.php',
+    ],
+    'pageMethods' => [
+        'nonce' => function($string) {
+            $n = \Bnomei\SecurityHeaders::nonce($string);
+            if($n) {
+                $n = 'nonce="'.$n.'"';
+            }
+            return $n;
+        }
     ]
 ]);
diff --git a/snippets/securityheaders.php b/snippets/securityheaders.php
@@ -19,8 +19,14 @@
 foreach ($directives as $d) {
     $policy->addSourceSet($d, $sourcesetID);
 }
-foreach (option('bnomei.securityheaders.nounces', []) as $n) {
-    $policy->addNonce(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, $n);
+$nc = ['loadjs.min.js', 'loadjs.min.js-fn', 'webfontloader.js']; // https://github.com/bnomei/kirby3-htmlhead
+$nc = array_merge($nc, option('bnomei.securityheaders.nounces', []));
+foreach ($nc as $id) {
+    $nonceArr = [$id, time(), \filemtime(__FILE__), kirby()->roots()->assets()];
+    shuffle($nonceArr);
+    $nonce = 'nonce-'.base64_encode(sha1(implode('', $nonceArr)));
+    \Bnomei\SecurityHeaders::nonce($id, $nonce);
+    $policy->addNonce(ContentSecurityPolicyHeaderBuilder::DIRECTIVE_SCRIPT_SRC, $nonce);
 }
 foreach (option('bnomei.securityheaders.hashes', []) as $h) {
     $policy->addHash(ContentSecurityPolicyHeaderBuilder::HASH_SHA_256, $h);