diff --git a/Application/views/admin/de/security_lang.php b/Application/views/admin/de/security_lang.php index 2a85fa5..e78c70e 100755 --- a/Application/views/admin/de/security_lang.php +++ b/Application/views/admin/de/security_lang.php @@ -6,7 +6,20 @@ 'SHOP_MODULE_GROUP_rs-security_main' => 'Standard headers', 'SHOP_MODULE_rs-security_Strict-Transport-Security' => 'Strict-Transport-Security (Default: max-age=63072000; includeSubDomains; preload)', - 'SHOP_MODULE_rs-security_Content-Security-Policy' => "Content-Security-Policy (Default: default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_01' => "Content-Security-Policy part 1 (Default: default-src 'self' https:)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_02' => "Content-Security-Policy part 2 (Default: object-src 'none')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_03' => "Content-Security-Policy part 3 (Default: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_04' => "Content-Security-Policy part 4 (Default: font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_05' => "Content-Security-Policy part 5 (Default: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_06' => "Content-Security-Policy part 6 (Default: img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_07' => "Content-Security-Policy part 7 (Default: connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_08' => "Content-Security-Policy part 8 (Default: frame-ancestors 'self')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_09' => "Content-Security-Policy part 9 (Default: form-action 'self' https://www.paypal.com/paymentwall/payment-selection)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_10' => "Content-Security-Policy part 10 (Default: base-uri 'self')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_11' => "Content-Security-Policy part 11", + 'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Content-Security-Policy part 12", + 'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Content-Security-Policy part 13", + 'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Content-Security-Policy part 14", 'SHOP_MODULE_rs-security_X-Content-Type-Options' => 'X-Content-Type-Options (Default: nosniff)', 'SHOP_MODULE_rs-security_X-Frame-Options' => 'X-Frame-Options (Default: SAMEORIGIN)', 'SHOP_MODULE_rs-security_X-XSS-Protection' => 'X-XSS-Protection (Default: 1; mode=block)', diff --git a/Application/views/admin/en/security_lang.php b/Application/views/admin/en/security_lang.php index e679482..dea5424 100755 --- a/Application/views/admin/en/security_lang.php +++ b/Application/views/admin/en/security_lang.php @@ -6,7 +6,20 @@ 'SHOP_MODULE_GROUP_rs-security_main' => 'Standard headers', 'SHOP_MODULE_rs-security_Strict-Transport-Security' => 'Strict-Transport-Security (Default: max-age=63072000; includeSubDomains; preload)', - 'SHOP_MODULE_rs-security_Content-Security-Policy' => "Content-Security-Policy (Default: default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_01' => "Content-Security-Policy part 1 (Default: default-src 'self' https:)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_02' => "Content-Security-Policy part 2 (Default: object-src 'none')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_03' => "Content-Security-Policy part 3 (Default: style-src 'self' 'unsafe-inline' https://fonts.googleapis.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_04' => "Content-Security-Policy part 4 (Default: font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_05' => "Content-Security-Policy part 5 (Default: script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_06' => "Content-Security-Policy part 6 (Default: img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_07' => "Content-Security-Policy part 7 (Default: connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_08' => "Content-Security-Policy part 8 (Default: frame-ancestors 'self')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_09' => "Content-Security-Policy part 9 (Default: form-action 'self' https://www.paypal.com/paymentwall/payment-selection)", + 'SHOP_MODULE_rs-security_Content-Security-Policy_10' => "Content-Security-Policy part 10 (Default: base-uri 'self')", + 'SHOP_MODULE_rs-security_Content-Security-Policy_11' => "Content-Security-Policy part 11", + 'SHOP_MODULE_rs-security_Content-Security-Policy_12' => "Content-Security-Policy part 12", + 'SHOP_MODULE_rs-security_Content-Security-Policy_13' => "Content-Security-Policy part 13", + 'SHOP_MODULE_rs-security_Content-Security-Policy_14' => "Content-Security-Policy part 14", 'SHOP_MODULE_rs-security_X-Content-Type-Options' => 'X-Content-Type-Options (Default: nosniff)', 'SHOP_MODULE_rs-security_X-Frame-Options' => 'X-Frame-Options (Default: SAMEORIGIN)', 'SHOP_MODULE_rs-security_X-XSS-Protection' => 'X-XSS-Protection (Default: 1; mode=block)', diff --git a/Core/Output.php b/Core/Output.php index 5f27355..919c401 100755 --- a/Core/Output.php +++ b/Core/Output.php @@ -22,7 +22,6 @@ public function sendHeaders() //Standard $aHeaders = [ 'Strict-Transport-Security', - 'Content-Security-Policy', 'X-Content-Type-Options', 'X-Frame-Options', 'X-XSS-Protection', @@ -35,6 +34,21 @@ public function sendHeaders() \OxidEsales\Eshop\Core\Registry::getUtils()->setHeader($sHeader.":".$sValue); } + $sHeader = "Content-Security-Policy"; + $aValues = []; + for($x=1;$x<15;$x++) + { + $sValue = 'rs-security_'.$sHeader.'_'.str_pad($x,2,'0',STR_PAD_LEFT); + $sValue = trim($oConfig->getConfigParam($sValue)); + if($sValue && $sValue!=="") + $aValues[]=$sValue; + } + if(!empty($aValues)) + { + $sValue = implode(" ; ",$aValues)." ;"; + \OxidEsales\Eshop\Core\Registry::getUtils()->setHeader($sHeader.":".$sValue); + } + //Additional $aHeaders = [ '1', diff --git a/metadata.php b/metadata.php index fc6f38b..898a234 100755 --- a/metadata.php +++ b/metadata.php @@ -26,12 +26,94 @@ 'type' => 'str', 'value' => 'max-age=63072000; includeSubDomains; preload', ), + + + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_01', + 'type' => 'str', + 'value' => "default-src 'self' https:", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_02', + 'type' => 'str', + 'value' => "object-src 'none'", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_03', + 'type' => 'str', + 'value' => "style-src 'self' 'unsafe-inline' https://fonts.googleapis.com", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_04', + 'type' => 'str', + 'value' => "font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_05', + 'type' => 'str', + 'value' => "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_06', + 'type' => 'str', + 'value' => "img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_07', + 'type' => 'str', + 'value' => "connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_08', + 'type' => 'str', + 'value' => "frame-ancestors 'self'", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_09', + 'type' => 'str', + 'value' => "form-action 'self' https://www.paypal.com/paymentwall/payment-selection", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_10', + 'type' => 'str', + 'value' => "base-uri 'self'", + ), array( 'group' => 'rs-security_main', - 'name' => 'rs-security_Content-Security-Policy', + 'name' => 'rs-security_Content-Security-Policy_11', 'type' => 'str', - 'value' => "default-src 'self' https: ; object-src 'none'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.googleapis.com https://fonts.gstatic.com; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.paypal.com/paymentwall/payment-selection https://www.paypalobjects.com https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; connect-src 'self' https://www.google-analytics.com www.google-analytics.com https://stats.g.doubleclick.net; frame-ancestors 'self'; form-action 'self' https://www.paypal.com/paymentwall/payment-selection; base-uri 'self';", + 'value' => "", ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_12', + 'type' => 'str', + 'value' => "", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_13', + 'type' => 'str', + 'value' => "", + ), + array( + 'group' => 'rs-security_main', + 'name' => 'rs-security_Content-Security-Policy_14', + 'type' => 'str', + 'value' => "", + ), + + array( 'group' => 'rs-security_main', 'name' => 'rs-security_X-Content-Type-Options',