From 5476ffa9443e728510ae1006896b663989cb01da Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Tue, 26 Oct 2010 23:46:18 -0400 Subject: [PATCH 1/4] add StrictTransportSecurity plugin --- plugins/StrictTransportSecurity/README | 21 +++++++ .../StrictTransportSecurityPlugin.php | 62 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 plugins/StrictTransportSecurity/README create mode 100644 plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php diff --git a/plugins/StrictTransportSecurity/README b/plugins/StrictTransportSecurity/README new file mode 100644 index 0000000000..66f03e95ea --- /dev/null +++ b/plugins/StrictTransportSecurity/README @@ -0,0 +1,21 @@ +The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites. +See http://lists.w3.org/Archives/Public/www-archive/2009Sep/att-0051/draft-hodges-strict-transport-sec-05.plain.html for the specification. + +Installation +============ +add "addPlugin('strictTransportSecurity');" +to the bottom of your config.php + +The plugin will not do anything unless: +$config['site']['ssl'] is set to 'always' +$config['site']['path'] is either not set, empty, or '/' + +Settings +======== +max_age (15552000): sets how long to remember the forced HTTPS (seconds) (15552000 seconds is 180 days) +includeSubDomains (false): if set, then STS will apply to all the sub-domains too. + +Example +======= +addPlugin('strictTransportSecurity'); + diff --git a/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php new file mode 100644 index 0000000000..004a627929 --- /dev/null +++ b/plugins/StrictTransportSecurity/StrictTransportSecurityPlugin.php @@ -0,0 +1,62 @@ +. + * + * @category Plugin + * @package StatusNet + * @author Craig Andrews + * @copyright 2009 Free Software Foundation, Inc http://www.fsf.org + * @license http://www.fsf.org/licensing/licenses/agpl-3.0.html GNU Affero General Public License version 3.0 + * @link http://status.net/ + */ + +if (!defined('STATUSNET') && !defined('LACONICA')) { + exit(1); +} + +class StrictTransportSecurityPlugin extends Plugin +{ + public $max_age = 15552000; + public $includeSubDomains = false; + + function __construct() + { + parent::__construct(); + } + + function onArgsInitialize($args) + { + $path = common_config('site', 'path'); + if(common_config('site', 'ssl') == 'always' && ($path == '/' || ! $path )) { + header('Strict-Transport-Security: max-age=' . $this->max_age . + ($this->includeSubDomains?'; includeSubDomains':'')); + } + } + + function onPluginVersion(&$versions) + { + $versions[] = array('name' => 'StrictTransportSecurity', + 'version' => STATUSNET_VERSION, + 'author' => 'Craig Andrews', + 'homepage' => 'http://status.net/wiki/Plugin:StrictTransportSecurity', + 'rawdescription' => + _m('The Strict Transport Security plugin implements the Strict Transport Security header, improving the security of HTTPS only sites.')); + return true; + } +} From bc6a61dc89a2af2e874f83d1e876d0d0b65b4e26 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Tue, 26 Oct 2010 23:56:59 -0400 Subject: [PATCH 2/4] Use https for gravatars No reason not to use https, and doing so prevents mixed content warnings when the avatars are used on https pages. --- plugins/Gravatar/GravatarPlugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/Gravatar/GravatarPlugin.php b/plugins/Gravatar/GravatarPlugin.php index dd8ff72176..5fcc79fd51 100644 --- a/plugins/Gravatar/GravatarPlugin.php +++ b/plugins/Gravatar/GravatarPlugin.php @@ -183,7 +183,7 @@ class GravatarPlugin extends Plugin function gravatar_url($email, $size) { - $url = "http://www.gravatar.com/avatar.php?gravatar_id=". + $url = "https://secure.gravatar.com/avatar.php?gravatar_id=". md5(strtolower($email)). "&default=".urlencode(Avatar::defaultImage($size)). "&size=".$size; From 9f9126e5245173b06719638e434b19f6973661b4 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 27 Oct 2010 00:09:43 -0400 Subject: [PATCH 3/4] Load MS Virtual Earth javascript over https when browsing in https --- plugins/Mapstraction/MapstractionPlugin.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/plugins/Mapstraction/MapstractionPlugin.php b/plugins/Mapstraction/MapstractionPlugin.php index c4ba6464ea..08465e0a77 100644 --- a/plugins/Mapstraction/MapstractionPlugin.php +++ b/plugins/Mapstraction/MapstractionPlugin.php @@ -125,7 +125,7 @@ class MapstractionPlugin extends Plugin urlencode($this->apikey))); break; case 'microsoft': - $action->script('http://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6'); + $action->script((StatusNet::isHTTPS()?'https':'http') + '://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6'); break; case 'openlayers': // XXX: is this not nice...? From 255ba42ef120a3ee0ac21c0c639730d8317b7e79 Mon Sep 17 00:00:00 2001 From: Craig Andrews Date: Wed, 27 Oct 2010 00:11:55 -0400 Subject: [PATCH 4/4] use library function to determine if https should be used for recaptcha --- plugins/Recaptcha/RecaptchaPlugin.php | 13 ++----------- 1 file changed, 2 insertions(+), 11 deletions(-) diff --git a/plugins/Recaptcha/RecaptchaPlugin.php b/plugins/Recaptcha/RecaptchaPlugin.php index 08557cbd84..5a33e7132e 100644 --- a/plugins/Recaptcha/RecaptchaPlugin.php +++ b/plugins/Recaptcha/RecaptchaPlugin.php @@ -51,15 +51,6 @@ class RecaptchaPlugin extends Plugin } } - function checkssl() - { - if(common_config('site', 'ssl') === 'sometimes' || common_config('site', 'ssl') === 'always') { - return true; - } - return false; - } - - function onEndRegistrationFormData($action) { $action->elementStart('li'); @@ -79,7 +70,7 @@ class RecaptchaPlugin extends Plugin { if (isset($action->recaptchaPluginNeedsOutput) && $action->recaptchaPluginNeedsOutput) { // Load the AJAX API - if ($this->checkssl()) { + if (StatusNet::isHTTPS()) { $url = "https://api-secure.recaptcha.net/js/recaptcha_ajax.js"; } else { $url = "http://api.recaptcha.net/js/recaptcha_ajax.js"; @@ -120,4 +111,4 @@ class RecaptchaPlugin extends Plugin 'captcha to the registration page.')); return true; } -} \ No newline at end of file +}