All: add Content-Security-Policy-Report-Only header to all wordpress …

…sites Ref jquery/infrastructure-puppet#54 Ref jquery/infrastructure-puppet#57
timmywil · Aug 19, 2024 · 4ce4448 · 4ce4448
1 parent 799f789
commit 4ce4448
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 1 deletion.
diff --git a/themes/api.jquery.com/functions.php b/themes/api.jquery.com/functions.php
@@ -0,0 +1,8 @@
+<?php
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/api.jquerymobile.com/functions.php b/themes/api.jquerymobile.com/functions.php
@@ -28,3 +28,10 @@ function jq_mobile_api_version_current() {
 		$thisVersion[ 1 ] :
 		jq_mobile_api_version_latest();
 }
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/api.jqueryui.com/functions.php b/themes/api.jqueryui.com/functions.php
@@ -24,3 +24,10 @@ function jq_ui_api_version_current() {
 		$thisVersion[ 1 ] :
 		jq_ui_api_version_latest();
 }
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ][] = "'self' 'unsafe-inline' code.jquery.com"
+	$policy[ 'style-src' ][] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/jquery/functions.php b/themes/jquery/functions.php
@@ -251,3 +251,39 @@ function jq_image_posted_on() {
 
 	return $classes;
 } );
+
+/**
+ * Content Security Policy
+ */
+function jq_content_security_policy() {
+	$nonce = wp_create_nonce( JQUERY_LIVE_SITE );
+	$policy = array(
+		'default-src' => "'self'",
+		'script-src' => "'self' 'nonce-$nonce' code.jquery.com",
+		// The SHA is for the inline style from typesense
+		// 'unsafe-hashes' is required in order to use hashes in style-src
+		'style-src' => "'self' 'nonce-$nonce' 'sha256-biLFinpqYMtWHmXfkA1BPeCY0/fNt46SAZ+BBk5YUog=' 'unsafe-hashes'",
+		// data: SVG images are used in typesense
+		'img-src' => "'self' data:",
+		'connect-src' => "'self' typesense.jquery.com",
+		'font-src' => "'self'",
+		'object-src' => "'none'",
+		'media-src' => "'self'",
+		'frame-src' => "'self'",
+		'child-src' => "'self'",
+		'form-action' => "'self'",
+		'frame-ancestors' => "'none'",
+		'base-uri' => "'self'",
+		'block-all-mixed-content' => '',
+		'report-uri' => 'https://csp-report-api.openjs-foundation.workers.dev/',
+	);
+
+	$policy = apply_filters( 'jq_content_security_policy', $policy );
+
+	$policy_string = '';
+	foreach ( $policy as $key => $value ) {
+		$policy_string .= $key . ' ' . $value . '; ';
+	}
+
+	header( 'Content-Security-Policy-Report-Only: ' . $policy_string );
+}
diff --git a/themes/jquery/header.php b/themes/jquery/header.php
@@ -1,11 +1,11 @@
+<?php jq_content_security_policy() ?>
 <!doctype html>
 <html class="no-js" <?php language_attributes(); ?>>
 <head>
 	<meta charset="utf-8">
 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
 
 	<title><?php
-		global $page, $paged;
 		wp_title( '|', true, 'right' );
 		bloginfo( 'name' );
 		$site_description = get_bloginfo( 'description', 'display' );