From b4a24ea1692276feb479e9675757f2150b14f5ba Mon Sep 17 00:00:00 2001
From: hiromi-mi <hiromi-mi@cat.zaq.jp>
Date: Fri, 19 Jun 2020 21:34:09 +0900
Subject: [PATCH] Implement CSP

---
 app.py                | 15 +++++++++++++++
 requirements.txt      |  1 +
 templates/layout.html |  2 +-
 templates/login.html  |  4 ++--
 templates/new.html    |  2 +-
 templates/u2f.html    |  2 +-
 6 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/app.py b/app.py
index 23f2864..b851d1f 100644
--- a/app.py
+++ b/app.py
@@ -29,6 +29,7 @@ from little_boxes.errors import Error
 from little_boxes.httpsig import verify_request
 from little_boxes.webfinger import get_remote_follow_template
 from werkzeug.exceptions import InternalServerError
+from flask_talisman import Talisman
 
 import blueprints.admin
 import blueprints.indieauth
@@ -93,7 +94,21 @@ app.register_blueprint(blueprints.indieauth.blueprint)
 app.register_blueprint(blueprints.tasks.blueprint)
 app.register_blueprint(blueprints.well_known.blueprint)
 app.config.update(WTF_CSRF_CHECK_DEFAULT=False)
+app.config.update(SESSION_COOKIE_SECURE=True if config.SCHEME == "https" else False)
+
+csp = {
+    "default-src": "'self'",
+    "script-src": "'self'",
+    "style-src-attr": "'unsafe-inline'",
+}
+
 csrf.init_app(app)
+talisman = Talisman(
+    app,
+    content_security_policy=csp,
+    force_https=False,
+    content_security_policy_nonce_in=["script-src", "style-src"],
+)
 
 logger = logging.getLogger(__name__)
 
diff --git a/requirements.txt b/requirements.txt
index 5c0a865..3a51ede 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -25,3 +25,4 @@ pillow
 emoji-unicode
 html5lib
 Pygments
+flask-talisman
diff --git a/templates/layout.html b/templates/layout.html
index 7f386c6..81ceab1 100644
--- a/templates/layout.html
+++ b/templates/layout.html
@@ -12,7 +12,7 @@
 {% if not request.args.get("older_than") and not request.args.get("previous_than") %}<link rel="canonical" href="https://{{ config.DOMAIN }}{{ request.path }}">{% endif %}
 {% block links %}{% endblock %}
 {% if config.THEME_COLOR %}<meta name="theme-color" content="{{ config.THEME_COLOR }}">{% endif %}
-<style>{{ config.CSS | safe }}
+<style nonce="{{ csp_nonce() }}">{{ config.CSS | safe }}
 .icon { color: #555; }
 .emoji {
     width: 20px;
diff --git a/templates/login.html b/templates/login.html
index 717dfdc..3943ae2 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -2,7 +2,7 @@
 {% import 'utils.html' as utils %}
 {% block title %}Login - {{ config.NAME }}{% endblock %}
 {% block header %}
-<style>
+<style nonce="{{ csp_nonce() }}">
 #login-container {
 height: 90%;
 display: grid;
@@ -28,7 +28,7 @@ display:inline;
 
 </div>
 {% if u2f_enabled %}
-<script>
+<script nonce="{{ csp_nonce() }}">
 var p = {{ payload | tojson }};
 if (p) {
 u2f.sign(p.appId, p.challenge, p.registeredKeys, function(resp) {
diff --git a/templates/new.html b/templates/new.html
index 44e4d63..fffe971 100644
--- a/templates/new.html
+++ b/templates/new.html
@@ -90,7 +90,7 @@
 
 </div>
 </div>
-<script>
+<script nonce="{{ csp_nonce() }}">
 // The new post textarea
 var ta = document.getElementsByTagName("textarea")[0];
 // Helper for inserting text (emojis) in the textarea
diff --git a/templates/u2f.html b/templates/u2f.html
index 0d94691..d1c1eb6 100644
--- a/templates/u2f.html
+++ b/templates/u2f.html
@@ -12,7 +12,7 @@
 </form>
 
 </div>
-<script>
+<script nonce="{{ csp_nonce() }}">
 var p= {{ payload | tojson }};
 //setTimeout(function() {
 u2f.register(p.appId, p.registerRequests, p.registeredKeys, function(resp) {