From 5742d41c9336c3b0c167716b9569c642d952ea4a Mon Sep 17 00:00:00 2001
From: James Groom <OSSYoshiRulz+git@gmail.com>
Date: Tue, 15 Oct 2024 03:22:29 +1000
Subject: [PATCH] CSP round 3(?) (#2003)

* Make `Content-Security-Policy` not so hardcoded

* Add more `Content-Security-Policy` directives
---
 .../ApplicationBuilderExtensions.cs           | 26 +++++++++++++++++--
 TASVideos/Program.cs                          |  2 +-
 2 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/TASVideos/Extensions/ApplicationBuilderExtensions.cs b/TASVideos/Extensions/ApplicationBuilderExtensions.cs
index e6cc81231..332e88b43 100644
--- a/TASVideos/Extensions/ApplicationBuilderExtensions.cs
+++ b/TASVideos/Extensions/ApplicationBuilderExtensions.cs
@@ -46,8 +46,30 @@ public static IApplicationBuilder UseStaticFilesWithExtensionMapping(this IAppli
 		});
 	}
 
-	public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app, IHostEnvironment env)
+	public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app, IHostEnvironment env, AppSettings settings)
 	{
+		var userAgentReportURL = $"{settings.BaseUrl}/Diagnostics/UserAgentInterventionReports";
+		string[] trustedJSHosts = [
+			"https://cdn.jsdelivr.net",
+			"https://cdnjs.cloudflare.com",
+			"https://code.jquery.com",
+			"https://www.google.com/recaptcha/",
+			"https://www.gstatic.com/recaptcha/",
+			"https://www.youtube.com",
+		];
+		string[] cspDirectives = [
+			"base-uri 'none'", // neutralises the `<base/>` footgun
+			"default-src 'self'", // fallback for other `*-src` directives
+			"font-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // CSS `font: url();` and `@font-face { src: url(); }` will be blocked unless they're from one of these domains (this also blocks nonstandard fonts installed on the system maybe)
+			"form-action 'self'", // domains allowed for `<form action/>` (POST target page)
+			"frame-src 'self' https://www.youtube.com/embed/", // allow these domains in <iframe/>
+			"img-src *", // allow hotlinking images from any domain in UGC (not great)
+			"require-trusted-types-for 'script'", // experimental, but Google seems to be pushing it: should block `HTMLScriptElement.innerHTML = "user.pwn();";`, and similarly block adding in-line scripts as attrs
+			$"script-src 'self' {string.Join(' ', trustedJSHosts)}", // `<script/>`s will be blocked unless they're from one of these domains
+			"style-src 'unsafe-inline' 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/", // allow `<style/>`, and `<link rel="stylesheet"/>` if it's from our domain or trusted CDN
+			"upgrade-insecure-requests", // browser should automagically replace links to any `http://tasvideos.org/...` URL (in UGC, for example) with HTTPS
+		];
+		var contentSecurityPolicyValue = string.Join("; ", cspDirectives);
 		var permissionsPolicyValue = string.Join(", ", [
 			"camera=()", // defaults to `self`
 			"display-capture=()", // defaults to `self`
@@ -71,7 +93,7 @@ public static IApplicationBuilder UseMvcWithOptions(this IApplicationBuilder app
 			context.Response.Headers.XContentTypeOptions = "nosniff";
 			context.Response.Headers["Referrer-Policy"] = "strict-origin-when-cross-origin";
 			context.Response.Headers.XPoweredBy = "";
-			context.Response.Headers.ContentSecurityPolicy = "upgrade-insecure-requests; script-src 'self' https://code.jquery.com https://cdn.jsdelivr.net https://cdnjs.cloudflare.com https://www.youtube.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/";
+			context.Response.Headers.ContentSecurityPolicy = contentSecurityPolicyValue;
 			await next();
 		});
 
diff --git a/TASVideos/Program.cs b/TASVideos/Program.cs
index 763e811a8..6e166c727 100644
--- a/TASVideos/Program.cs
+++ b/TASVideos/Program.cs
@@ -67,7 +67,7 @@
 	.UseAuthentication()
 	.UseMiddleware<CustomLocalizationMiddleware>()
 	.UseSerilogRequestLogging()
-	.UseMvcWithOptions(app.Environment);
+	.UseMvcWithOptions(app.Environment, settings);
 
 if (app.Environment.IsDevelopment())
 {