danwin1210/onion-link-list
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Send various securtiy headers

Browse Source
This commit is contained in:
Daniel Winzen
2020-10-15 19:59:42 +02:00
parent 4ddc7de227
commit 32d9609e4f
4 changed files with 32 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
common_config.php
View File

@ -111,3 +111,23 @@ function blacklist_scams($address, $content){
}
}
}
function send_headers(array $styles = []){
header('Content-Type: text/html; charset=UTF-8');
header('Pragma: no-cache');
header('Cache-Control: no-cache, no-store, must-revalidate, max-age=0, private');
header('Expires: 0');
header('Referrer-Policy: no-referrer');
header("Permissions-Policy: accelerometer 'none'; ambient-light-sensor 'none'; autoplay 'none'; battery 'none'; camera 'none'; cross-origin-isolated 'none'; display-capture 'none'; document-domain 'none'; encrypted-media 'none'; geolocation 'none'; fullscreen 'none'; execution-while-not-rendered 'none'; execution-while-out-of-viewport 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; midi 'none'; navigation-override 'none'; payment 'none'; picture-in-picture 'none'; publickey-credentials-get 'none'; screen-wake-lock 'none'; sync-xhr 'none'; usb 'none'; web-share 'none'; xr-spatial-tracking 'none'; clipboard-read 'none'; clipboard-write 'none'; gamepad 'none'; speaker-selection 'none'; conversion-measurement 'none'; focus-without-user-activation 'none'; hid 'none'; idle-detection 'none'; sync-script 'none'; vertical-scroll 'none'; serial 'none'; trust-token-redemption 'none';");
$style_hashes = '';
foreach($styles as $style) {
$style_hashes .= " 'sha256-".base64_encode(hash('sha256', $style, true))."'";
}
header("Content-Security-Policy: default-src 'none'; font-src 'self'; form-action 'self'; img-src 'self' data:; media-src 'self'; style-src 'self'$style_hashes");
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: sameorigin');
header('X-XSS-Protection: 1; mode=block');
if($_SERVER['REQUEST_METHOD'] === 'HEAD'){
exit; // headers sent, no further processing needed
}
}

8
www/admin.php
View File

@ -1,9 +1,7 @@
<?php
header('Content-Type: text/html; charset=UTF-8');
if($_SERVER['REQUEST_METHOD']==='HEAD'){
exit; // headers sent, no further processing needed
}
require_once('../common_config.php');
$style = '.red{color:red} .green{color:green} .software-link{text-align:center;font-size:small}';
send_headers([$style]);
try{
$db=new PDO('mysql:host=' . DBHOST . ';dbname=' . DBNAME . ';charset=utf8mb4', DBUSER, DBPASS, [PDO::ATTR_ERRMODE=>PDO::ERRMODE_WARNING, PDO::ATTR_PERSISTENT=>PERSISTENT]);
}catch(PDOException $e){
@ -14,7 +12,7 @@ echo '<!DOCTYPE html><html><head>';
echo "<title>$I[admintitle]</title>";
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
echo '<meta name=viewport content="width=device-width, initial-scale=1">';
echo '<style type="text/css">.red{color:red} .green{color:green} .software-link{text-align:center;font-size:small}</style>';
echo '<style type="text/css">'.$style.'</style>';
echo '</head><body>';
echo "<h1>$I[admintitle]</h1>";
print_langs();

8
www/onions.php
View File

@ -42,7 +42,11 @@ if(!isset($_REQUEST['format'])){
function send_html(){
global $I, $categories, $db, $language;
header('Content-Type: text/html; charset=UTF-8');
$style = '.red{color:red} .green{color:green} .up td+td+td{background-color:#aaff88} .down td+td+td{background-color:#ff4444}';
$style .= '.promo{outline:medium solid #FFD700} .list{display: inline-block; padding: 0; margin: 0} .list li{display:inline}';
$style .= '.active{font-weight:bold} .down td+td+td+td+td,.up td+td+td+td+td{background-color:unset} #maintable td{word-break:break-all}';
$style .= '#maintable td+td+td{word-break:unset} #maintable tr td:first-child{min-width:16em} .software-link{text-align:center;font-size:small}';
send_headers([$style]);
asort($categories);
//sql for special categories
$special=[
@ -65,7 +69,7 @@ function send_html(){
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
echo '<meta name="author" content="Daniel Winzen">';
echo '<meta name="viewport" content="width=device-width, initial-scale=1">';
echo '<style type="text/css">.red{color:red} .green{color:green} .up td+td+td{background-color:#aaff88} .down td+td+td{background-color:#ff4444} .promo{outline:medium solid #FFD700} .list{display: inline-block; padding: 0; margin: 0} .list li{display:inline} .active{font-weight:bold} .down td+td+td+td+td,.up td+td+td+td+td{background-color:unset} #maintable td{word-break:break-all} #maintable td+td+td{word-break:unset} #maintable tr td:first-child{min-width:16em} .software-link{text-align:center;font-size:small}</style>';
echo '<style type="text/css">'.$style.'</style>';
echo '<base rel="noopener" target="_blank">';
echo '</head><body>';
echo "<h1>$I[title]</h1>";

9
www/test.php
View File

@ -1,16 +1,13 @@
<?php
header('Content-Type: text/html; charset=UTF-8');
header('Cache-Control: max-age=600');
if($_SERVER['REQUEST_METHOD']==='HEAD'){
exit; // headers sent, no further processing needed
}
require_once('../common_config.php');
$style = '.red{color:red} .green{color:green}';
send_headers([$style]);
echo '<!DOCTYPE html><html><head>';
echo "<title>$I[testtitle]</title>";
echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8">';
echo '<meta name="author" content="Daniel Winzen">';
echo '<meta name="viewport" content="width=device-width, initial-scale=1">';
echo '<style type="text/css">.red{color:red} .green{color:green}</style>';
echo '<style type="text/css">'.$style.'</style>';
echo '</head><body>';
echo '<h1>Online-Test</h1>';
print_langs();