Add CSP config

app/config/config_prod.yml

@@ -63,3 +63,37 @@ nelmio_security:
     forced_ssl:
         enabled: '%force_ssl%'
         hsts_max_age: 31104000 # 1y
+    csp:
+        enabled: true
+        report_logger_service: logger
+        hosts: []
+        content_types: []
+        enforce:
+            browser_adaptive:
+                enabled: false
+            default-src:
+                - 'self'
+            script-src:
+                - 'self'
+                - 'unsafe-inline'
+                - 'unsafe-eval'
+                - 'https://cdn.jsdelivr.net/'
+                - 'https://ssl.google-analytics.com/'
+            connect-src:
+                - 'self'
+                - '*.algolia.net'
+                - '*.algolianet.com'
+            img-src:
+                - 'self'
+                - 'https://www.gravatar.com/'
+                - 'https://camo.githubusercontent.com/'
+                - 'https://ssl.google-analytics.com/'
+                - 'http://www.google-analytics.com/'
+            style-src:
+                - 'self'
+                - 'unsafe-inline'
+                - 'https://fonts.googleapis.com/'
+            font-src:
+                - 'self'
+                - 'https://fonts.gstatic.com/'
+            block-all-mixed-content: true # defaults to false, blocks HTTP content over HTTPS transport

composer.json

@@ -42,7 +42,7 @@
         "composer/composer": "^1.3@dev",
         "friendsofsymfony/user-bundle": "^2.0@dev",
         "hwi/oauth-bundle": "^0.4",
-        "nelmio/security-bundle": "^1.0",
+        "nelmio/security-bundle": "^2.4",
         "predis/predis": "^1.0",
         "snc/redis-bundle": "^2.0",
         "white-october/pagerfanta-bundle": "^1.0",

composer.lock

@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "53bcff7ff3ee7e8525709bc1bb27068b",
+    "content-hash": "b7a08f27034774dc2a4fc3be0a5cfc9b",
     "packages": [
         {
             "name": "algolia/algoliasearch-client-php",
@@ -2220,29 +2220,38 @@
         },
         {
             "name": "nelmio/security-bundle",
-            "version": "1.10.0",
+            "version": "2.4.0",
             "source": {
                 "type": "git",
                 "url": "https://github.com/nelmio/NelmioSecurityBundle.git",
-                "reference": "4be243f1fc85ff85f10aadcf88c8c11ba2096cd9"
+                "reference": "d0d7b151eda5f0ebe80562528f78b56954c1aec7"
             },
             "dist": {
                 "type": "zip",
-                "url": "https://api.github.com/repos/nelmio/NelmioSecurityBundle/zipball/4be243f1fc85ff85f10aadcf88c8c11ba2096cd9",
-                "reference": "4be243f1fc85ff85f10aadcf88c8c11ba2096cd9",
+                "url": "https://api.github.com/repos/nelmio/NelmioSecurityBundle/zipball/d0d7b151eda5f0ebe80562528f78b56954c1aec7",
+                "reference": "d0d7b151eda5f0ebe80562528f78b56954c1aec7",
                 "shasum": ""
             },
             "require": {
+                "paragonie/random_compat": "~1.0|~2.0",
                 "symfony/framework-bundle": "~2.3|~3.0",
-                "symfony/security": "~2.3|~3.0"
+                "symfony/security": "~2.3|~3.0",
+                "ua-parser/uap-php": "^3.4.4"
             },
             "require-dev": {
-                "phpunit/phpunit": "^5.2"
+                "doctrine/cache": "^1.0",
+                "psr/cache": "^1.0",
+                "symfony/phpunit-bridge": "^3.2",
+                "symfony/yaml": "~2.3|~3.0",
+                "twig/twig": "^1.24"
+            },
+            "suggest": {
+                "ua-parser/uap-php": "To allow adapt CSP directives given the user-agent"
             },
             "type": "symfony-bundle",
             "extra": {
                 "branch-alias": {
-                    "dev-master": "1.10.x-dev"
+                    "dev-master": "2.4.x-dev"
                 }
             },
             "autoload": {
@@ -2268,7 +2277,7 @@
             "keywords": [
                 "security"
             ],
-            "time": "2016-02-23T10:42:13+00:00"
+            "time": "2017-06-22T08:11:46+00:00"
         },
         {
             "name": "pagerfanta/pagerfanta",
@@ -3869,6 +3878,56 @@
             ],
             "time": "2016-09-01T17:50:53+00:00"
         },
+        {
+            "name": "ua-parser/uap-php",
+            "version": "v3.5.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ua-parser/uap-php.git",
+                "reference": "c8b31e5b8215a0c6dab4dd304050526a1907b17c"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ua-parser/uap-php/zipball/c8b31e5b8215a0c6dab4dd304050526a1907b17c",
+                "reference": "c8b31e5b8215a0c6dab4dd304050526a1907b17c",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0",
+                "symfony/console": "^2.0 || ^3.0 || ^4.0",
+                "symfony/filesystem": "^2.0 || ^3.0 || ^4.0",
+                "symfony/finder": "^2.0 || ^3.0 || ^4.0",
+                "symfony/yaml": "^2.0 || ^3.0 || ^4.0"
+            },
+            "require-dev": {
+                "phpunit/phpunit": "^4.0 || ^5.0"
+            },
+            "bin": [
+                "bin/uaparser"
+            ],
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "UAParser\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "MIT"
+            ],
+            "authors": [
+                {
+                    "name": "Lars Strojny",
+                    "email": "lars@strojny.net"
+                },
+                {
+                    "name": "Dave Olsen",
+                    "email": "dmolsen@gmail.com"
+                }
+            ],
+            "description": "A multi-language port of Browserscope's user agent parser.",
+            "time": "2017-12-13T11:03:50+00:00"
+        },
         {
             "name": "white-october/pagerfanta-bundle",
             "version": "v1.0.7",

src/Packagist/WebBundle/Resources/views/Package/viewPackage.html.twig

@@ -116,7 +116,7 @@
                         <div class="details col-xs-12 col-sm-6 col-md-12">
                             <p class="maintainers">
                                 {% for maintainer in package.maintainers -%}
-                                    <a href="{{ path('user_profile', {'name': maintainer.username}) }}"><img width="48" height="48" title="{{ maintainer.username }}" src="//www.gravatar.com/avatar/{{ maintainer.email|gravatar_hash }}?s=48&amp;d=identicon" srcset="//www.gravatar.com/avatar/{{ maintainer.email|gravatar_hash }}?s=96&amp;d=identicon 2x"></a>
+                                    <a href="{{ path('user_profile', {'name': maintainer.username}) }}"><img width="48" height="48" title="{{ maintainer.username }}" src="https://www.gravatar.com/avatar/{{ maintainer.email|gravatar_hash }}?s=48&amp;d=identicon" srcset="https://www.gravatar.com/avatar/{{ maintainer.email|gravatar_hash }}?s=96&amp;d=identicon 2x"></a>
                                 {% endfor %}
                                 {% if addMaintainerForm is defined or removeMaintainerForm is defined %}
                                     {% if removeMaintainerForm is defined %}<a title="Remove Maintainer" id="remove-maintainer" href="{{ path('remove_maintainer', {'name': package.name}) }}"><i class="glyphicon glyphicon-remove"></i></a>{% endif %}

src/Packagist/WebBundle/Resources/views/layout.html.twig

@@ -219,7 +219,7 @@
         <script>
             var _gaq=[['_setAccount','{{ google_analytics.ga_key }}'],['_trackPageview']];
             (function(d,t){var g=d.createElement(t),s=d.getElementsByTagName(t)[0];g.async=1;
-            g.src=('https:'==location.protocol?'//ssl':'//www')+'.google-analytics.com/ga.js';
+            g.src='https://ssl.google-analytics.com/ga.js';
             s.parentNode.insertBefore(g,s)}(document,'script'));
         </script>
         {%- endif %}