feat(security): add Content-Security-Policy headers with strict script-src
Eliminate all inline scripts to enable script-src 'self' without 'unsafe-inline', providing strong XSS mitigation via CSP. Inline script removal: - login.phtml: replace inline APP_ASSET_BASE with data-asset-base attribute + app-boot.js (matching default.phtml pattern) - api-docs: extract SwaggerUI init to js/pages/admin-api-docs-index.js - docs: extract checkbox enablement to js/pages/admin-docs-index.js - language-switcher: replace onchange handler with data-auto-submit attribute + js/components/app-auto-submit.js event listener CSP policy (dev + prod nginx): default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; form-action 'self'; base-uri 'self'; frame-ancestors 'none'; manifest-src 'self' Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -17,15 +17,14 @@ if ($bufferTitle !== '') {
|
||||
<!DOCTYPE html>
|
||||
<html
|
||||
data-theme="<?php e($theme); ?>"
|
||||
data-asset-base="<?php e(asset('')); ?>"
|
||||
data-password-toggle-show-label="<?php e(t('Show password')); ?>"
|
||||
data-password-toggle-hide-label="<?php e(t('Hide password')); ?>"
|
||||
<?php if ($primaryVars !== ''): ?>style="<?php e($primaryVars); ?>" <?php endif; ?>>
|
||||
|
||||
<head>
|
||||
<script src="<?php e(assetVersion('js/app-boot.js')); ?>"></script>
|
||||
<base href="<?php e(localeBase()); ?>">
|
||||
<script>
|
||||
window.APP_ASSET_BASE = "<?php e(asset('')); ?>";
|
||||
</script>
|
||||
<title><?php e($pageTitle); ?></title>
|
||||
<meta property="og:site_name" content="<?php e($defaultTitle); ?>">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|
||||
|
||||
@@ -44,7 +44,7 @@ $publicTarget = ltrim($publicTarget, '/');
|
||||
<?php if ($isLoggedIn): ?>
|
||||
<form class="nav nav--lang" method="get" action="<?php e($baseUrl); ?>" aria-label="<?php e(t('Language switcher')); ?>">
|
||||
<input type="hidden" name="return" value="<?php e($returnTarget); ?>">
|
||||
<select class="lang-select" name="locale" onchange="this.form.submit()">
|
||||
<select class="lang-select" name="locale" data-auto-submit>
|
||||
<?php foreach ($locales as $locale): ?>
|
||||
<option value="<?php e($locale); ?>" <?php if ($locale === I18n::$locale) { ?>selected<?php } ?>>
|
||||
<?php e(strtoupper((string) $locale)); ?>
|
||||
|
||||
Reference in New Issue
Block a user