Make security headers configuration consistent for frontend and assets

Author: thekid

ChangeLog.md

@@ -3,6 +3,8 @@ Web frontends change log
 
 ## ?.?.? / ????-??-??
 
+* Made it possible to use `web.frontend.Security` instances for assets
+  (@thekid)
 * Implemented default CSP in `web.frontend.AssetsFrom` to prevent XSS
   with SVG files. See #49 and https://stackoverflow.com/q/10557137
   (@thekid)

README.md

@@ -315,20 +315,31 @@ To configure framing, referrer and content security policies, use the *security(
 ```php
 use web\frontend\{Frontend, Security};
 
-$frontend= (new Frontend($delegates, $templates))
-  ->enacting((new Security())
-    ->framing('SAMEORIGIN')
-    ->referrers('strict-origin')
-    ->csp([
-      'default-src' => '"none"',
-      'script-src'  => ['"self"', '"nonce-{{nonce}}"', 'https://example.com'],
-      // etcetera
-    ])
-  )
+$policy= (new Security())
+  ->framing('SAMEORIGIN')
+  ->referrers('strict-origin')
+  ->csp([
+    'default-src' => '"none"',
+    'script-src'  => ['"self"', '"nonce-{{nonce}}"', 'https://example.com'],
+    // etcetera
+  ])
+;
+$frontend= (new Frontend($delegates, $templates))->enacting($policy);
 ;
 ```
 
-Read more about hardening response headers at https://scotthelme.co.uk/hardening-your-http-response-headers/ or watch this talk: https://www.youtube.com/watch?v=mr230uotw-Y
+For static assets, the same policy can be used:
+
+```php
+use web\frontend\{AssetsFrom, Security};
+
+$policy= /* see above */
+$assets= (new AssetsFrom($path))->enacting($policy);
+```
+
+The default configuration is to set `script-src 'none'; object-src 'none'`, see https://stackoverflow.com/q/10557137
+
+*Read more about hardening response headers at https://scotthelme.co.uk/hardening-your-http-response-headers/ or watch this talk: https://www.youtube.com/watch?v=mr230uotw-Y*
 
 ## Performance
 

src/main/php/web/frontend/AssetsFrom.class.php

@@ -16,7 +16,7 @@
  */
 class AssetsFrom extends FilesFrom {
   const PREFERENCE= ['br', 'bzip2', 'gzip', 'deflate'];
-  const POLICY= 'script-src none; object-src none';
+  const POLICY= ['script-src' => "'none'", 'object-src' => "'none'"];
   const ENCODINGS= [
     'br'       => '.br',
     'bzip2'    => '.bz2',
@@ -27,27 +27,22 @@ class AssetsFrom extends FilesFrom {
   ];
 
   private $sources= [];
-  private $csp= self::POLICY;
+  private $security;
   private $preference;
 
   /** @param io.Path|io.Folder|string|io.Path[]|io.Folder[]|string[] $sources */
   public function __construct($sources) {
+    $this->security= (new Security())->csp(self::POLICY);
     $this->preferring(self::PREFERENCE);
     foreach (is_array($sources) ? $sources : [$sources] as $source) {
       $this->sources[]= $source instanceof Path ? $source : new Path($source);
     }
     parent::__construct($this->sources[0] ?? '.');
   }
 
-  /**
-   * Change content security policy
-   *
-   * @see    https://github.com/xp-forge/frontend/issues/49
-   * @param  string|string[] $csp
-   * @return self
-   */
-  public function policy($csp) {
-    $this->csp= is_array($csp) ? implode('; ', $csp) : (string)$csp;
+  /** Overwrites security */
+  public function enacting(Security $security): self {
+    $this->security= $security;
     return $this;
   }
 
@@ -135,8 +130,10 @@ public function handle($request, $response) {
         $target= new Path($source, $path.(self::ENCODINGS[$encoding] ?? '*'));
         if ($target->exists() && $target->isFile()) {
           $response->header('Vary', 'Accept-Encoding');
-          $response->header('Content-Security-Policy', $this->csp);
           '*' === $encoding || $response->header('Content-Encoding', $encoding);
+          foreach ($this->security->headers() as $name => $value) {
+            $response->header($name, $value);
+          }
 
           return $this->serve($request, $response, $target->asFile(), $this->mime($path));
         }

src/main/php/web/frontend/Security.class.php

@@ -17,6 +17,9 @@ class Security {
     'Referrer-Policy'         => 'no-referrer-when-downgrade',
   ];
 
+  /** @return [:string] */
+  public function headers() { return $this->headers; }
+
   /** Sets frame options */
   public function framing(string $value): self {
     $this->headers['X-Frame-Options']= $value;
@@ -32,18 +35,24 @@ public function referrers(string $value): self {
   /**
    * Sets content security policy
    * 
-   * @param  [:string|string[]] $sources
+   * @param  string|[:string|string[]] $policy
    * @param  bool $reportOnly whether to report only (true) or to enforce (false)
    * @return self
    * @see    https://content-security-policy.com/
    */
-  public function csp(array $sources, bool $reportOnly= false): self {
+  public function csp($policy, bool $reportOnly= false): self {
     $name= $reportOnly ? 'Content-Security-Policy-Report-Only' : 'Content-Security-Policy';
-    $header= '';
-    foreach ($sources as $source => $value) {
-      $header.= '; '.$source.' '.strtr(is_array($value) ? implode(' ', $value) : $value, '"', "'");
+
+    if (is_array($policy)) {
+      $header= '';
+      foreach ($policy as $source => $value) {
+        $header.= '; '.$source.' '.strtr(is_array($value) ? implode(' ', $value) : $value, '"', "'");
+      }
+      $this->headers[$name]= substr($header, 2);
+    } else {
+      $this->headers[$name]= $policy;
     }
-    $this->headers[$name]= substr($header, 2);
+
     return $this;
   }
 

src/test/php/web/frontend/unittest/AssetsFromTest.class.php

@@ -3,7 +3,7 @@
 use io\{File, Files, Folder};
 use lang\Environment;
 use test\{After, Assert, Test, Values};
-use web\frontend\AssetsFrom;
+use web\frontend\{AssetsFrom, Security};
 use web\io\{TestInput, TestOutput};
 use web\{Request, Response};
 
@@ -161,25 +161,17 @@ public function includes_csp_header_by_default() {
     $assets= new AssetsFrom($this->folderWith(['fixture.css' => '...']));
     $res= $this->serve($assets, '/fixture.css');
 
-    Assert::equals(AssetsFrom::POLICY, $res->headers()['Content-Security-Policy']);
+    Assert::equals("script-src 'none'; object-src 'none'", $res->headers()['Content-Security-Policy']);
   }
 
   #[Test]
-  public function using_string_csp() {
+  public function enacting_security() {
     $assets= new AssetsFrom($this->folderWith(['fixture.css' => '...']));
-    $res= $this->serve($assets->policy('script-src none'), '/fixture.css');
+    $res= $this->serve($assets->enacting((new Security())->csp('script-src none')), '/fixture.css');
 
     Assert::equals('script-src none', $res->headers()['Content-Security-Policy']);
   }
 
-  #[Test]
-  public function using_array_csp() {
-    $assets= new AssetsFrom($this->folderWith(['fixture.css' => '...']));
-    $res= $this->serve($assets->policy(['script-src none', 'object-src none']), '/fixture.css');
-
-    Assert::equals('script-src none; object-src none', $res->headers()['Content-Security-Policy']);
-  }
-
   #[Test, Values([[['fixture.css' => self::CONTENTS]], [['fixture.css.gz' => self::COMPRESSED]]])]
   public function handles_conditional_requests($files) {
     $res= $this->serve(new AssetsFrom($this->folderWith($files)), '/fixture.css', [