<?php /** * @package Joomla.Plugin * @subpackage System.HttpHeaders * * @copyright (C) 2018 Open Source Matters, Inc. <https://www.joomla.org> * @license GNU General Public License version 2 or later; see LICENSE.txt * @phpcs:disable PSR1.Classes.ClassDeclaration.MissingNamespace */ use Joomla\CMS\Application\CMSApplication; use Joomla\CMS\Plugin\CMSPlugin; use Joomla\CMS\Uri\Uri; use Joomla\Database\DatabaseDriver; use Joomla\Event\DispatcherInterface; use Joomla\Event\Event; use Joomla\Event\SubscriberInterface; // phpcs:disable PSR1.Files.SideEffects \defined('_JEXEC') or die; // phpcs:enable PSR1.Files.SideEffects /** * Plugin class for HTTP Headers * * @since 4.0.0 */ class PlgSystemHttpHeaders extends CMSPlugin implements SubscriberInterface { /** * Application object. * * @var CMSApplication * @since 4.0.0 */ protected $app; /** * Database object. * * @var DatabaseDriver * @since 4.0.0 */ protected $db; /** * The generated csp nonce value * * @var string * @since 4.0.0 */ private $cspNonce; /** * The list of the supported HTTP headers * * @var array * @since 4.0.0 */ private $supportedHttpHeaders = [ 'strict-transport-security', 'content-security-policy', 'content-security-policy-report-only', 'x-frame-options', 'referrer-policy', 'expect-ct', 'feature-policy', 'cross-origin-opener-policy', 'report-to', 'permissions-policy', ]; /** * The list of valid directives based on: https://www.w3.org/TR/CSP3/#csp-directives * * @var array * @since 4.0.0 */ private $validDirectives = [ 'child-src', 'connect-src', 'default-src', 'font-src', 'frame-src', 'img-src', 'manifest-src', 'media-src', 'prefetch-src', 'object-src', 'script-src', 'script-src-elem', 'script-src-attr', 'style-src', 'style-src-elem', 'style-src-attr', 'worker-src', 'base-uri', 'plugin-types', 'sandbox', 'form-action', 'frame-ancestors', 'navigate-to', 'report-uri', 'report-to', 'block-all-mixed-content', 'upgrade-insecure-requests', 'require-sri-for', ]; /** * The list of directives without a value * * @var array * @since 4.0.0 */ private $noValueDirectives = [ 'block-all-mixed-content', 'upgrade-insecure-requests', ]; /** * The list of directives supporting nonce * * @var array * @since 4.0.0 */ private $nonceDirectives = [ 'script-src', 'style-src', ]; /** * Constructor. * * @param DispatcherInterface $subject The object to observe. * @param array $config An optional associative array of configuration settings. * * @since 4.0.0 */ public function __construct(&$subject, $config) { parent::__construct($subject, $config); $nonceEnabled = (int) $this->params->get('nonce_enabled', 0); // Nonce generation when it's enabled if ($nonceEnabled) { $this->cspNonce = base64_encode(bin2hex(random_bytes(64))); } // Set the nonce, when not set we set it to NULL which is checked down the line $this->app->set('csp_nonce', $this->cspNonce); } /** * Returns an array of events this subscriber will listen to. * * @return array * * @since 4.0.0 */ public static function getSubscribedEvents(): array { return [ 'onAfterInitialise' => 'setHttpHeaders', 'onAfterRender' => 'applyHashesToCspRule', ]; } /** * The `applyHashesToCspRule` method makes sure the csp hashes are added to the csp header when enabled * * @return void * * @since 4.0.0 */ public function applyHashesToCspRule(Event $event): void { // CSP is only relevant on html pages. Let's early exit here. if ($this->app->getDocument()->getType() !== 'html') { return; } $scriptHashesEnabled = (int) $this->params->get('script_hashes_enabled', 0); $styleHashesEnabled = (int) $this->params->get('style_hashes_enabled', 0); // Early exit when both options are disabled if (!$scriptHashesEnabled && !$styleHashesEnabled) { return; } $headData = $this->app->getDocument()->getHeadData(); $scriptHashes = []; $styleHashes = []; if ($scriptHashesEnabled) { // Generate the hashes for the script-src $inlineScripts = is_array($headData['script']) ? $headData['script'] : []; foreach ($inlineScripts as $type => $scripts) { foreach ($scripts as $hash => $scriptContent) { $scriptHashes[] = "'sha256-" . base64_encode(hash('sha256', $scriptContent, true)) . "'"; } } } if ($styleHashesEnabled) { // Generate the hashes for the style-src $inlineStyles = is_array($headData['style']) ? $headData['style'] : []; foreach ($inlineStyles as $type => $styles) { foreach ($styles as $hash => $styleContent) { $styleHashes[] = "'sha256-" . base64_encode(hash('sha256', $styleContent, true)) . "'"; } } } // Replace the hashes in the csp header when set. $headers = $this->app->getHeaders(); foreach ($headers as $id => $headerConfiguration) { if ( strtolower($headerConfiguration['name']) === 'content-security-policy' || strtolower($headerConfiguration['name']) === 'content-security-policy-report-only' ) { $newHeaderValue = $headerConfiguration['value']; if (!empty($scriptHashes)) { $newHeaderValue = str_replace('{script-hashes}', implode(' ', $scriptHashes), $newHeaderValue); } else { $newHeaderValue = str_replace('{script-hashes}', '', $newHeaderValue); } if (!empty($styleHashes)) { $newHeaderValue = str_replace('{style-hashes}', implode(' ', $styleHashes), $newHeaderValue); } else { $newHeaderValue = str_replace('{style-hashes}', '', $newHeaderValue); } $this->app->setHeader($headerConfiguration['name'], $newHeaderValue, true); } } } /** * The `setHttpHeaders` method handle the setting of the configured HTTP Headers * * @return void * * @since 4.0.0 */ public function setHttpHeaders(Event $event): void { // Set the default header when they are enabled $this->setStaticHeaders(); // Handle CSP Header configuration $cspEnabled = (int) $this->params->get('contentsecuritypolicy', 0); $cspClient = (string) $this->params->get('contentsecuritypolicy_client', 'site'); // Check whether CSP is enabled and enabled by the current client if ($cspEnabled && ($this->app->isClient($cspClient) || $cspClient === 'both')) { $this->setCspHeader(); } } /** * Set the CSP header when enabled * * @return void * * @since 4.0.0 */ private function setCspHeader(): void { $cspReadOnly = (int) $this->params->get('contentsecuritypolicy_report_only', 1); $cspHeader = $cspReadOnly === 0 ? 'content-security-policy' : 'content-security-policy-report-only'; // In custom mode we compile the header from the values configured $cspValues = $this->params->get('contentsecuritypolicy_values', []); $nonceEnabled = (int) $this->params->get('nonce_enabled', 0); $scriptHashesEnabled = (int) $this->params->get('script_hashes_enabled', 0); $strictDynamicEnabled = (int) $this->params->get('strict_dynamic_enabled', 0); $styleHashesEnabled = (int) $this->params->get('style_hashes_enabled', 0); $frameAncestorsSelfEnabled = (int) $this->params->get('frame_ancestors_self_enabled', 1); $frameAncestorsSet = false; foreach ($cspValues as $cspValue) { // Handle the client settings foreach header if (!$this->app->isClient($cspValue->client) && $cspValue->client != 'both') { continue; } // Handle non value directives if (in_array($cspValue->directive, $this->noValueDirectives)) { $newCspValues[] = trim($cspValue->directive); continue; } // We can only use this if this is a valid entry if ( in_array($cspValue->directive, $this->validDirectives) && !empty($cspValue->value) ) { if (in_array($cspValue->directive, $this->nonceDirectives) && $nonceEnabled) { /** * That line is for B/C we do no longer require to add the nonce tag * but add it once the setting is enabled so this line here is needed * to remove the outdated tag that was required until 4.2.0 */ $cspValue->value = str_replace('{nonce}', '', $cspValue->value); // Append the nonce when the nonce setting is enabled $cspValue->value = "'nonce-" . $this->cspNonce . "' " . $cspValue->value; } // Append the script hashes placeholder if ($scriptHashesEnabled && strpos($cspValue->directive, 'script-src') === 0) { $cspValue->value = '{script-hashes} ' . $cspValue->value; } // Append the style hashes placeholder if ($styleHashesEnabled && strpos($cspValue->directive, 'style-src') === 0) { $cspValue->value = '{style-hashes} ' . $cspValue->value; } if ($cspValue->directive === 'frame-ancestors') { $frameAncestorsSet = true; } // Add strict-dynamic to the script-src directive when enabled if ( $strictDynamicEnabled && $cspValue->directive === 'script-src' && strpos($cspValue->value, 'strict-dynamic') === false ) { $cspValue->value = "'strict-dynamic' " . $cspValue->value; } $newCspValues[] = trim($cspValue->directive) . ' ' . trim($cspValue->value); } } if ($frameAncestorsSelfEnabled && !$frameAncestorsSet) { $newCspValues[] = "frame-ancestors 'self'"; } if (empty($newCspValues)) { return; } $this->app->setHeader($cspHeader, trim(implode('; ', $newCspValues))); } /** * Get the configured static headers. * * @return array We return the array of static headers with its values. * * @since 4.0.0 */ private function getStaticHeaderConfiguration(): array { $staticHeaderConfiguration = []; // X-frame-options if ($this->params->get('xframeoptions', 1) === 1) { $staticHeaderConfiguration['x-frame-options#both'] = 'SAMEORIGIN'; } // Referrer-policy $referrerPolicy = (string) $this->params->get('referrerpolicy', 'strict-origin-when-cross-origin'); if ($referrerPolicy !== 'disabled') { $staticHeaderConfiguration['referrer-policy#both'] = $referrerPolicy; } // Cross-Origin-Opener-Policy $coop = (string) $this->params->get('coop', 'same-origin'); if ($coop !== 'disabled') { $staticHeaderConfiguration['cross-origin-opener-policy#both'] = $coop; } // Generate the strict-transport-security header and make sure the site is SSL if ($this->params->get('hsts', 0) === 1 && Uri::getInstance()->isSsl() === true) { $hstsOptions = []; $hstsOptions[] = 'max-age=' . (int) $this->params->get('hsts_maxage', 31536000); if ($this->params->get('hsts_subdomains', 0) === 1) { $hstsOptions[] = 'includeSubDomains'; } if ($this->params->get('hsts_preload', 0) === 1) { $hstsOptions[] = 'preload'; } $staticHeaderConfiguration['strict-transport-security#both'] = implode('; ', $hstsOptions); } // Generate the additional headers $additionalHttpHeaders = $this->params->get('additional_httpheader', []); foreach ($additionalHttpHeaders as $additionalHttpHeader) { // Make sure we have a key and a value if (empty($additionalHttpHeader->key) || empty($additionalHttpHeader->value)) { continue; } // Make sure the header is a valid and supported header if (!in_array(strtolower($additionalHttpHeader->key), $this->supportedHttpHeaders)) { continue; } // Make sure we do not add one header twice but we support to set a different header per client. if ( isset($staticHeaderConfiguration[$additionalHttpHeader->key . '#' . $additionalHttpHeader->client]) || isset($staticHeaderConfiguration[$additionalHttpHeader->key . '#both']) ) { continue; } // Allow the custom csp headers to use the random $cspNonce in the rules if (in_array(strtolower($additionalHttpHeader->key), ['content-security-policy', 'content-security-policy-report-only'])) { $additionalHttpHeader->value = str_replace('{nonce}', "'nonce-" . $this->cspNonce . "'", $additionalHttpHeader->value); } $staticHeaderConfiguration[$additionalHttpHeader->key . '#' . $additionalHttpHeader->client] = $additionalHttpHeader->value; } return $staticHeaderConfiguration; } /** * Set the static headers when enabled * * @return void * * @since 4.0.0 */ private function setStaticHeaders(): void { $staticHeaderConfiguration = $this->getStaticHeaderConfiguration(); if (empty($staticHeaderConfiguration)) { return; } foreach ($staticHeaderConfiguration as $headerAndClient => $value) { $headerAndClient = explode('#', $headerAndClient); $header = $headerAndClient[0]; $client = $headerAndClient[1] ?? 'both'; if (!$this->app->isClient($client) && $client != 'both') { continue; } $this->app->setHeader($header, $value, true); } } }
