Force CSP, X-Frame DENY, no-referrer

Added optional Strict-Transport-Security in _include.php
TODO: put them in ./rainloop/v/0.0.0/app/templates/Views/Admin/AdminSettingsSecurity.html

_include.php

@@ -2,13 +2,16 @@
 
 // Name this file as "include.php" to enable it.
 
+//\header('Strict-Transport-Security: max-age=31536000');
+
 /**
  * @return string
  */
 function __get_custom_data_full_path()
 {
 	return '';
-	return '/var/external-rainloop-data-folder/'; // custom data folder path
+	return dirname(__DIR__) . '/rainloop-data';
+	return '/var/external-rainloop-data-folder'; // custom data folder path
 }
 
 /**
@@ -19,3 +22,4 @@ function __get_additional_configuration_name()
 	return '';
 	return defined('APP_SITE') && 0 < strlen(APP_SITE) ? APP_SITE.'.ini' : ''; // additional configuration file name
 }
+

rainloop/v/0.0.0/app/libraries/RainLoop/Config/Application.php

@@ -169,7 +169,7 @@ class Application extends \RainLoop\Config\AbstractConfig
 					'Enable CSRF protection (http://en.wikipedia.org/wiki/Cross-site_request_forgery)'),
 
 				'custom_server_signature'	=> array('RainLoop'),
-				'x_frame_options_header'	=> array(''),
+				'x_frame_options_header'	=> array('DENY'),
 				'x_xss_protection_header'	=> array('1; mode=block'),
 
 				'openpgp'					=> array(false),
@@ -182,7 +182,7 @@ class Application extends \RainLoop\Config\AbstractConfig
 				'hide_x_mailer_header'		=> array(true),
 				'admin_panel_host'			=> array(''),
 				'admin_panel_key'			=> array('admin'),
-				'content_security_policy'	=> array(''),
+				'content_security_policy'	=> array(APP_DEFAULT_CSP),
 				'core_install_access_domain' => array('')
 			),
 

rainloop/v/0.0.0/app/libraries/RainLoop/Service.php

@@ -38,17 +38,17 @@ class Service
 			\header('Server: '.$sServer, true);
 		}
 
-		$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', ''));
-		if (0 < \strlen($sXFrameOptionsHeader))
-		{
-			\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
-		}
+		\header('Referrer-Policy: no-referrer');
+		\header('X-Content-Type-Options: nosniff');
 
-		$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', ''));
-		if (0 < \strlen($sXssProtectionOptionsHeader))
-		{
-			\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
-		}
+		$sContentSecurityPolicy = \trim($this->oActions->Config()->Get('security', 'content_security_policy', '')) ?: APP_DEFAULT_CSP;
+		\header('Content-Security-Policy: '.$sContentSecurityPolicy, true);
+
+		$sXFrameOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_frame_options_header', '')) ?: 'DENY';
+		\header('X-Frame-Options: '.$sXFrameOptionsHeader, true);
+
+		$sXssProtectionOptionsHeader = \trim($this->oActions->Config()->Get('security', 'x_xss_protection_header', '')) ?: '1; mode=block';
+		\header('X-XSS-Protection: '.$sXssProtectionOptionsHeader, true);
 
 		if ($this->oActions->Config()->Get('labs', 'force_https', false) && !$this->oHttp->IsSecure())
 		{
@@ -157,9 +157,6 @@ class Service
 				}
 			}
 
-			\header('Content-Security-Policy:');
-			\header_remove('Content-Security-Policy');
-
 			header('Content-Type: text/html; charset=utf-8');
 			$this->oHttp->ServerNoCache();
 
@@ -245,17 +242,17 @@ class Service
 		$sFaviconPngLink = $sFaviconUrl ? $sFaviconUrl : $this->staticPath('apple-touch-icon.png');
 		$sAppleTouchLink = $sFaviconUrl ? '' : $this->staticPath('apple-touch-icon.png');
 
-		$sContentSecurityPolicy = $this->oActions->Config()->Get('security', 'content_security_policy', '');
-
 		$aTemplateParameters = array(
+			'{{BaseAppHeadScriptLink}}' => '',
+			'{{BaseAppBodyScript}}' => '',
 			'{{BaseAppFaviconPngLinkTag}}' => $sFaviconPngLink ? '<link type="image/png" rel="shortcut icon" href="'.$sFaviconPngLink.'" />' : '',
 			'{{BaseAppFaviconTouchLinkTag}}' => $sAppleTouchLink ? '<link type="image/png" rel="apple-touch-icon" href="'.$sAppleTouchLink.'" />' : '',
 			'{{BaseAppMainCssLink}}' => $this->staticPath('css/app'.($bAppCssDebug ? '' : '.min').'.css'),
 			'{{BaseAppThemeCssLink}}' => $this->oActions->ThemeLink($sTheme, $bAdmin),
+			'{{BaseAppPolyfillsScriptLink}}' => '',
 			'{{BaseAppBootScriptLink}}' => $this->staticPath('js/'.($bAppJsDebug ? '' : 'min/').'boot'.($bAppJsDebug ? '' : '.min').'.js'),
 			'{{BaseViewport}}' => $bMobile ? 'width=device-width,initial-scale=1,user-scalable=no' : 'width=950,maximum-scale=2',
-			'{{BaseContentSecurityPolicy}}' => $sContentSecurityPolicy ?
-				'<meta http-equiv="Content-Security-Policy" content="'.$sContentSecurityPolicy.'" />' : '',
+			'{{BaseContentSecurityPolicy}}' => '',
 			'{{BaseDir}}' => false && \in_array($sLanguage, array('ar', 'he', 'ur')) ? 'rtl' : 'ltr',
 			'{{BaseAppManifestLink}}' => $this->staticPath('manifest.json')
 		);

rainloop/v/0.0.0/app/templates/Index.html

@@ -11,7 +11,6 @@
 	<meta name="google" content="notranslate" />
 	<meta name="robots" content="noindex,nofollow,noodp" />
 	<meta name="AppBootData" content='{{RainloopBootData}}' id="app-boot-data" />
-	{{BaseContentSecurityPolicy}}
 	<title></title>
 	{{BaseAppFaviconPngLinkTag}}
 	{{BaseAppFaviconTouchLinkTag}}

rainloop/v/0.0.0/include.php

@@ -12,6 +12,9 @@
 
 			define('APP_USE_APC_CACHE', true);
 
+			// "img-src https:" is allowed due to remote images in e-mails
+			define('APP_DEFAULT_CSP', "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data: https:; style-src 'self' 'unsafe-inline'");
+
 			if (function_exists('date_default_timezone_set'))
 			{
 				date_default_timezone_set('UTC');