Merge pull request #32980 from Hystepik/new-website-security-const

New website security const by website
Dolibarr · Feb 12, 2025 · 622f330 · 622f330
2 parents 652e319 + 435fce3
commit 622f330
Show file tree

Hide file tree

Showing 4 changed files with 618 additions and 14 deletions.
diff --git a/htdocs/core/website.inc.php b/htdocs/core/website.inc.php
@@ -167,7 +167,7 @@
 	}
 
 	// Content-Security-Policy
-	if (!defined('WEBSITE_MAIN_SECURITY_FORCECSP')) {
+	if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCECSP')) {
 		// A default security policy that keep usage of js external component like ckeditor, stripe, google, working
 		// For example: to restrict to only local resources, except for css (cloudflare+google), and js (transifex + google tags) and object/iframe (youtube)
 		// default-src 'self'; style-src: https://cdnjs.cloudflare.com https://fonts.googleapis.com; script-src: https://cdn.transifex.com https://www.googletagmanager.com; object-src https://youtube.com; frame-src https://youtube.com; img-src: *;
@@ -178,7 +178,7 @@
 		//
 		// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src 'self' 'unsafe-inline' 'unsafe-eval' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com;";
 		// $contentsecuritypolicy = "frame-ancestors 'self'; img-src * data:; font-src *; default-src *; script-src 'self' 'unsafe-inline' *.paypal.com *.stripe.com *.google.com *.googleapis.com *.google-analytics.com *.googletagmanager.com; style-src 'self' 'unsafe-inline'; connect-src 'self';";
-		$contentsecuritypolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCECSP');
+		$contentsecuritypolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCECSP');
 
 		if (!is_object($hookmanager)) {
 			include_once DOL_DOCUMENT_ROOT.'/core/class/hookmanager.class.php';
@@ -200,32 +200,32 @@
 	}
 
 	// Referrer-Policy
-	if (!defined('WEBSITE_MAIN_SECURITY_FORCERP')) {
+	if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCERP')) {
 		// The constant WEBSITE_MAIN_SECURITY_FORCERP should never be defined by page, but the variable used just after may be
 
 		// For public web sites, we use the same default value than "strict-origin-when-cross-origin"
-		$referrerpolicy = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCERP', "strict-origin-when-cross-origin");
+		$referrerpolicy = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCERP', "strict-origin-when-cross-origin");
 
 		header("Referrer-Policy: ".$referrerpolicy);
 	}
 
 	// Strict-Transport-Security
-	if (!defined('WEBSITE_MAIN_SECURITY_FORCESTS')) {
+	if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCESTS')) {
 		// The constant WEBSITE_MAIN_SECURITY_FORCESTS should never be defined by page, but the variable used just after may be
 
 		// Example: "max-age=31536000; includeSubDomains"
-		$sts = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCESTS');
+		$sts = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCESTS');
 		if (!empty($sts)) {
 			header("Strict-Transport-Security: ".$sts);
 		}
 	}
 
 	// Permissions-Policy (old name was Feature-Policy)
-	if (!defined('WEBSITE_MAIN_SECURITY_FORCEPP')) {
+	if (!defined('WEBSITE_'.$website->id.'_SECURITY_FORCEPP')) {
 		// The constant WEBSITE_MAIN_SECURITY_FORCEPP should never be defined by page, but the variable used just after may be
 
 		// Example: "camera: 'none'; microphone: 'none';"
-		$pp = getDolGlobalString('WEBSITE_MAIN_SECURITY_FORCEPP');
+		$pp = getDolGlobalString('WEBSITE_'.$website->id.'_SECURITY_FORCEPP');
 		if (!empty($pp)) {
 			header("Permissions-Policy: ".$pp);
 		}

diff --git a/htdocs/langs/en_US/website.lang b/htdocs/langs/en_US/website.lang
@@ -368,3 +368,11 @@ WebPortalSetupNotComplete=Web portal setup is not complete
 DeleteWebsiteAccount=Delete website account
 ConfirmDeleteWebsiteAccount=Are you sure you want to delete this account.
 ConfirmDeleteWebsiteAccount2=If this account was used to login on the public portal or any otherweb site powered by Dolibarr, the login may be no more possible.
+ContentSecurityPolicy=Content Security Policy
+WebsiteSecurityForceRP=Website Security RP
+WebsiteSecurityForceSTS=Website Security STS
+WebsiteSecurityForcePP=Website Security PP
+SecurityPolicySucesfullyRemoved=Content Security Policy successfully removed
+ErrorRemovingSecurityPolicy=An error occurred when trying to remove a Content Security Policy
+SecurityPolicySucesfullyAdded=Content Security Policy successfully added
+ErrorAddingSecurityPolicy=An error occurred when trying to add a Content Security Policy