Tag: CSP Friendly Security

add_action('send_headers', 'simple_csp_headers');
/*ยกเว้นหน้าที่ไม่ต้องการทำ csp */
function simple_csp_headers() {
    $pages = array('cd-key');
    if (is_admin() || is_page($pages)) {
        if (!headers_sent()) {
            header("Content-Security-Policy: upgrade-insecure-requests");
        }
    }
}

if (function_exists('litespeed_autoload')) {
    add_filter('litespeed_buffer_after', 'process_csp_buffer', 0);
} else {
    add_action('template_redirect', 'csp_ob_start');
}

function csp_ob_start() {
    if (!is_admin()) {
        ob_start('process_csp_buffer');
    }
}

function process_csp_buffer($content) {
    $nonce = base64_encode(random_bytes(16));
    $pattern = '#<(script|style)(?![^>]*\bnonce=)(?![^>]*\btype=[\x22\x27]application/(ld\+json|json)[\x22\x27])([^>]*)>#i';
    $content = preg_replace($pattern, "<$1 nonce='" . $nonce . "'$3>", $content);

    $sha256_csp = get_event_hashes($content);
    $uris = get_allowed_domains($content);
    $uri_string = implode(' ', $uris);

    $script_src = "script-src https: 'strict-dynamic' 'nonce-" . $nonce . "'";
    if (!empty($sha256_csp)) {
        $script_src .= " " . $sha256_csp;
    }

    $csp_header = sprintf(
        "Content-Security-Policy: base-uri 'self' %s data:; object-src 'none'; %s; frame-ancestors 'none';",
        $uri_string,
        $script_src
    );

    if (!headers_sent()) {
        header($csp_header);
    }

    return $content;
}

function get_event_hashes($output) {
    $sha256 = array();
    if (preg_match_all('#\s(onload|onclick)\s*=\s*([\x22\x27])(.+?)\2#is', $output, $matches)) {
        foreach ($matches[3] as $event_code) {
            if (!empty($event_code)) {
                $sha256[] = base64_encode(hash('sha256', $event_code, true));
            }
        }
    }

    if (class_exists('autoptimizeConfig')) {
        $sha256[] = base64_encode(hash('sha256', "this.onload=null;this.media='all';", true));
    }

    if (empty($sha256)) {
        return '';
    }
    
    $unique_hashes = array_unique($sha256);
    $formatted_hashes = array();
    foreach ($unique_hashes as $h) {
        $formatted_hashes[] = "'sha256-" . $h . "'";
    }

    return "'unsafe-hashes' " . implode(' ', $formatted_hashes);
}

function get_allowed_domains($string) {
    $result = array();
    $domains = array(
        'https://secure.gravatar.com/avatar/',
        'https://fonts.googleapis.com/',
        'https://maxcdn.bootstrapcdn.com/',
        'https://cdn.jsdelivr.net/'
    );

    foreach ($domains as $domain) {
        if (strpos($string, $domain) !== false) {
            $result[] = $domain;
        }
    }
    return $result;
}

add_action('send_headers', 'simple_csp_headers');
/*ยกเว้นหน้าที่ไม่ต้องการทำ csp */
function simple_csp_headers() {
    $pages = array('cd-key');
    if (is_admin() || is_page($pages)) {
        if (!headers_sent()) {
            header("Content-Security-Policy: upgrade-insecure-requests");
        }
    }
}

if (function_exists('litespeed_autoload')) {
    add_filter('litespeed_buffer_after', 'process_csp_buffer', 0);
} else {
    add_action('template_redirect', 'csp_ob_start');
}

function csp_ob_start() {
    if (!is_admin()) {
        ob_start('process_csp_buffer');
    }
}

function process_csp_buffer($content) {
    $nonce = base64_encode(random_bytes(16));
    $pattern = '#<(script|style)(?![^>]*\bnonce=)(?![^>]*\btype=[\x22\x27]application/(ld\+json|json)[\x22\x27])([^>]*)>#i';
    $content = preg_replace($pattern, "<$1 nonce='" . $nonce . "'$3>", $content);

    $sha256_csp = get_event_hashes($content);
    $uris = get_allowed_domains($content);
    $uri_string = implode(' ', $uris);

    $script_src = "script-src https: 'strict-dynamic' 'nonce-" . $nonce . "'";
    if (!empty($sha256_csp)) {
        $script_src .= " " . $sha256_csp;
    }

    $csp_header = sprintf(
        "Content-Security-Policy: base-uri 'self' %s data:; object-src 'none'; %s; frame-ancestors 'none';",
        $uri_string,
        $script_src
    );

    if (!headers_sent()) {
        header($csp_header);
    }

    return $content;
}

function get_event_hashes($output) {
    $sha256 = array();
    if (preg_match_all('#\s(onload|onclick)\s*=\s*([\x22\x27])(.+?)\2#is', $output, $matches)) {
        foreach ($matches[3] as $event_code) {
            if (!empty($event_code)) {
                $sha256[] = base64_encode(hash('sha256', $event_code, true));
            }
        }
    }

    if (class_exists('autoptimizeConfig')) {
        $sha256[] = base64_encode(hash('sha256', "this.onload=null;this.media='all';", true));
    }

    if (empty($sha256)) {
        return '';
    }
    
    $unique_hashes = array_unique($sha256);
    $formatted_hashes = array();
    foreach ($unique_hashes as $h) {
        $formatted_hashes[] = "'sha256-" . $h . "'";
    }

    return "'unsafe-hashes' " . implode(' ', $formatted_hashes);
}

function get_allowed_domains($string) {
    $result = array();
    $domains = array(
        'https://secure.gravatar.com/avatar/',
        'https://fonts.googleapis.com/',
        'https://maxcdn.bootstrapcdn.com/',
        'https://cdn.jsdelivr.net/'
    );

    foreach ($domains as $domain) {
        if (strpos($string, $domain) !== false) {
            $result[] = $domain;
        }
    }
    return $result;
}