jared
ac05b212b2
DashboardView.php: wrap performAdvancedSearch in a closure so it is
resolved at event-fire time rather than listener-registration time
(advanced-search.js loads later via pageScripts so the bare identifier
reference caused ReferenceError).
DashboardView.php: reset sort URL to page=1 so sorting all pages
instead of staying on the current page.
dashboard.js: add missing save-settings and close-settings cases to
the click delegation handler (were removed in a prior session under
the assumption they were in dashboard.js, but they were not).
notifications.php: replace JSON_EXTRACT-based comment join (not
universally supported) with a two-step PHP filter: fetch owner/watcher
ticket IDs first, then filter raw comment rows in PHP. Also fix the
status change LIKE pattern to match the actual logTicketUpdate format
{"status": {"from": ..., "to": ...}}.
SecurityHeadersMiddleware.php: add https://cdn.jsdelivr.net to
connect-src so Chart.js source maps load without CSP violations.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
49 lines
1.8 KiB
PHP
49 lines
1.8 KiB
PHP
<?php
|
|
/**
|
|
* Security Headers Middleware
|
|
*
|
|
* Applies security-related HTTP headers to all responses.
|
|
*/
|
|
class SecurityHeadersMiddleware {
|
|
private static ?string $nonce = null;
|
|
|
|
/**
|
|
* Generate or retrieve the CSP nonce for this request
|
|
*
|
|
* @return string The nonce value
|
|
*/
|
|
public static function getNonce(): string {
|
|
if (self::$nonce === null) {
|
|
self::$nonce = base64_encode(random_bytes(16));
|
|
}
|
|
return self::$nonce;
|
|
}
|
|
|
|
/**
|
|
* Apply security headers to the response
|
|
*/
|
|
public static function apply(): void {
|
|
$nonce = self::getNonce();
|
|
|
|
// Content Security Policy - restricts where resources can be loaded from
|
|
// Using nonces for scripts to prevent XSS attacks while allowing inline scripts with valid nonces
|
|
// All inline event handlers have been refactored to use addEventListener with data-action attributes
|
|
header("Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{$nonce}' https://cdn.jsdelivr.net; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdn.jsdelivr.net; img-src 'self' data:; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://cdn.jsdelivr.net;");
|
|
|
|
// Prevent clickjacking by disallowing framing
|
|
header("X-Frame-Options: DENY");
|
|
|
|
// Prevent MIME type sniffing
|
|
header("X-Content-Type-Options: nosniff");
|
|
|
|
// Enable XSS filtering in older browsers
|
|
header("X-XSS-Protection: 1; mode=block");
|
|
|
|
// Control referrer information sent with requests
|
|
header("Referrer-Policy: strict-origin-when-cross-origin");
|
|
|
|
// Permissions Policy - disable unnecessary browser features
|
|
header("Permissions-Policy: geolocation=(), microphone=(), camera=()");
|
|
}
|
|
}
|