All: add Content-Security-Policy-Report-Only header to all wordpress sites (#463)

timmywil · web-flow · commit 333228fc84f8 · 2024-09-11T09:56:27.000-04:00
Ref jquery/infrastructure-puppet#54 Ref jquery/infrastructure-puppet#57
diff --git a/themes/api.jquery.com/functions.php b/themes/api.jquery.com/functions.php
@@ -0,0 +1,8 @@
+<?php
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/api.jquerymobile.com/functions.php b/themes/api.jquerymobile.com/functions.php
@@ -28,3 +28,10 @@ function jq_mobile_api_version_current() {
 		$thisVersion[ 1 ] :
 		jq_mobile_api_version_latest();
 }
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/api.jqueryui.com/functions.php b/themes/api.jqueryui.com/functions.php
@@ -24,3 +24,10 @@ function jq_ui_api_version_current() {
 		$thisVersion[ 1 ] :
 		jq_ui_api_version_latest();
 }
+
+// Allow inline scripts and styles in API demos
+add_filter( 'jq_content_security_policy', function ( $policy ) {
+	$policy[ 'script-src' ] = "'self' 'unsafe-inline' code.jquery.com";
+	$policy[ 'style-src' ] = "'self' 'unsafe-inline'";
+	return $policy;
+} );
diff --git a/themes/jquery/functions.php b/themes/jquery/functions.php
@@ -251,3 +251,48 @@ function jq_image_posted_on() {
 
 	return $classes;
 } );
+
+/**
+ * Content Security Policy
+ */
+function jq_content_security_policy() {
+	if ( !JQUERY_STAGING ) {
+		return;
+	}
+	$nonce = bin2hex( random_bytes( 8 ) );
+	$report_url = 'https://csp-report-api.openjs-foundation.workers.dev/';
+	$policy = array(
+		'default-src' => "'self'",
+		'script-src' => "'self' 'nonce-$nonce' code.jquery.com",
+		// The nonce is here so inline scripts can be used in the theme
+		'style-src' => "'self' 'nonce-$nonce'",
+		// data: SVG images are used in typesense
+		'img-src' => "'self' data:",
+		'connect-src' => "'self' typesense.jquery.com",
+		'font-src' => "'self'",
+		'object-src' => "'none'",
+		'media-src' => "'self'",
+		'frame-src' => "'self'",
+		'child-src' => "'self'",
+		'form-action' => "'self'",
+		'frame-ancestors' => "'none'",
+		'base-uri' => "'self'",
+		'block-all-mixed-content' => '',
+		'report-to' => 'csp-endpoint',
+		// Add report-uri for Firefox, which
+		// does not yet support report-to
+		'report-uri' => $report_url,
+	);
+
+	$policy = apply_filters( 'jq_content_security_policy', $policy );
+
+	$policy_string = '';
+	foreach ( $policy as $key => $value ) {
+		$policy_string .= $key . ' ' . $value . '; ';
+	}
+
+	header( 'Reporting-Endpoints: csp-endpoint="' . $report_url . '"' );
+	header( 'Content-Security-Policy-Report-Only: ' . $policy_string );
+}
+
+add_action( 'send_headers', 'jq_content_security_policy' );
diff --git a/themes/jquery/header.php b/themes/jquery/header.php
@@ -5,7 +5,6 @@
 	<meta http-equiv="X-UA-Compatible" content="IE=edge">
 
 	<title><?php
-		global $page, $paged;
 		wp_title( '|', true, 'right' );
 		bloginfo( 'name' );
 		$site_description = get_bloginfo( 'description', 'display' );
