[#1187] Update error page rendering to include Content-Security-Policy headers and nonces for a better security

2026-05-24 09:28:37 +00:00 · 2024-05-21 10:58:20 +01:00 · 2024-05-21 10:58:20 +01:00 · b42cdf97cd
commit b42cdf97cd
parent 9bf9058dd5
3 changed files with 27 additions and 7 deletions
--- a/.gitleaksignore
+++ b/.gitleaksignore
@ -10,3 +10,4 @@ src/ui/templates/settings_plugins.html:hashicorp-tf-password:297
 src/ui/templates/settings_plugins.html:hashicorp-tf-password:106
 src/ui/templates/account.html:hashicorp-tf-password:154
 src/ui/templates/account.html:hashicorp-tf-password:162
+src/common/core/errors/files/error.html:aws-access-token:20
--- a/src/common/core/errors/errors.lua
+++ b/src/common/core/errors/errors.lua
@ -1,7 +1,9 @@
 local class = require "middleclass"
 local plugin = require "bunkerweb.plugin"
+local utils = require "bunkerweb.utils"

 local ngx = ngx
+local rand = utils.rand
 local subsystem = ngx.config.subsystem
 local tostring = tostring

@ -84,12 +86,28 @@ function errors:log()
 end

 function errors:render_template(code)
+	local nonce_script = rand(16)
+	local nonce_style = rand(16)
+
+	-- Override headers
+	local header = "Content-Security-Policy"
+	if self.variables["CONTENT_SECURITY_POLICY_REPORT_ONLY"] == "yes" then
+		header = header .. "-Report-Only"
+	end
+	ngx.header[header] = "default-src 'none'; form-action 'self'; script-src 'strict-dynamic' 'nonce-"
+		.. nonce_script
+		.. "' 'unsafe-inline' http: https:; img-src 'self' data:; style-src 'self' 'nonce-"
+		.. nonce_style
+		.. "'; font-src 'self' data:; base-uri 'self'; require-trusted-types-for 'script';"
+
 	-- Render template
 	render("error.html", {
 		title = code .. " - " .. self.default_errors[code].title,
 		error_title = self.default_errors[code].title,
 		error_code = code,
 		error_text = self.default_errors[code].text,
+		nonce_script = nonce_script,
+		nonce_style = nonce_style,
 	})
 end

--- a/src/common/core/errors/files/error.html
+++ b/src/common/core/errors/files/error.html