-
Notifications
You must be signed in to change notification settings - Fork 41
/
Copy pathcsp.pl
104 lines (101 loc) · 2.94 KB
/
csp.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
use Digest::SHA qw(sha256_base64);
use File::Copy;
my $start = "Header set Content-Security-Policy \"default-src 'none'; base-uri 'none'; form-action 'self'; child-src 'self' blob:;worker-src 'self' blob:; img-src 'self' *.google-analytics.com *.analytics.google.com *.googletagmanager.com; connect-src 'self' *.google-analytics.com *.analytics.google.com; frame-ancestors 'self'; manifest-src 'self';";
copy(".htaccess_orig", ".htaccess");
open(my $htaccess, '>>', '.htaccess');
opendir($dir, ".");
while (readdir $dir)
{
my $dirEntry = $_;
next if (index($dirEntry, ".HTM") < 0);
next if (index($dirEntry, ".br") >= 0);
next if (index($dirEntry, ".gz") >= 0);
open(my $filehandle, '<', $dirEntry);
my $data = do { local $/; <$filehandle> };
my $extra = " 'self' blob:";
if (index($data, "WebAssembly") >= 0)
{
if (index($data, "instantiate") >= 0)
{
$extra = " 'self' blob: 'unsafe-eval'";
}
}
print $htaccess "<Files ${dirEntry}>\n${start}";
if (index($dirEntry, "ECM.HTM") != -1 || index($dirEntry, "ECMC.HTM") != -1)
{
print $htaccess " media-src 'self';"
}
getHashes($data, "style", $hash, "");
print $htaccess $hash;
if ($hash ne "")
{
print $htaccess ";";
}
getHashes($data, "script", $hash, $extra);
print $htaccess $hash." www.googletagmanager.com";
if (index($dirEntry, "ECM.HTM") != -1)
{
getFileHash("../blockly.js", $hash);
print $htaccess $hash;
getFileHash("../en.js", $hash);
print $htaccess $hash;
}
if (index($dirEntry, "ECMC.HTM") != -1)
{
getFileHash("../blockly.js", $hash);
print $htaccess $hash;
getFileHash("../es.js", $hash);
print $htaccess $hash;
}
if ($hash ne "")
{
print $htaccess ";";
}
print $htaccess " report-uri https://alpertron23.report-uri.com/r/d/csp/enforce\"\n";
print $htaccess "</Files>\n\n";
close($filehandle);
}
closedir $dir;
sub getHashes
{
my $data = $_[0];
my $tagname = $_[1];
my $extra = $_[3];
$_[2] = "";
for (;;)
{
my $firstIndex = index($data, "<${tagname}>");
if ($firstIndex == -1)
{
last;
}
my $lastIndex = index($data, "</${tagname}>", $firstIndex);
$firstIndex = $firstIndex + length($tagname) + 2;
my $substr = substr($data, $firstIndex, $lastIndex - $firstIndex);
my $hash = sha256_base64($substr);
while (length($hash) % 4)
{
$hash .= '=';
}
if ($_[2] eq "")
{
$_[2] = " ${tagname}-src 'unsafe-inline'${extra}";
}
$_[2] .= " 'sha256-${hash}'";
$data = substr($data, $lastIndex);
}
close $fh;
}
sub getFileHash
{
my $filename = $_[0];
open my $filehandle, '<', $filename or die "Cannot open $filename: $!\n";
my $string = do { local $/; <$filehandle> };
close $filehandle;
my $hash = sha256_base64($string);
while (length($hash) % 4)
{
$hash .= '=';
}
$_[1] = " 'sha256-${hash}'";
}