From a966bf02825939771d26012e95c2a7ef34c4642d Mon Sep 17 00:00:00 2001
From: Marcus Hill <bcf8c9f2@opayq.com>
Date: Sat, 17 Jun 2023 16:13:02 +0100
Subject: [PATCH] Adjust content security policy

---
 login.php               |  1 -
 portal/document.php     |  4 ++--
 portal/documents.php    |  2 +-
 portal/index.php        |  2 +-
 portal/invoices.php     |  2 +-
 portal/login.php        | 14 ++++----------
 portal/login_create.php |  0
 portal/login_reset.php  | 12 +++++-------
 portal/profile.php      |  2 +-
 portal/quotes.php       |  2 +-
 portal/tickets.php      |  2 +-
 11 files changed, 17 insertions(+), 26 deletions(-)
 delete mode 100644 portal/login_create.php

diff --git a/login.php b/login.php
index 46071699..91884b10 100644
--- a/login.php
+++ b/login.php
@@ -1,6 +1,5 @@
 <?php
 
-header("X-Frame-Options: DENY");
 header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 if (!file_exists('config.php')) {
diff --git a/portal/document.php b/portal/document.php
index d17e6909..fd1fb431 100644
--- a/portal/document.php
+++ b/portal/document.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
@@ -57,7 +57,7 @@ $document_content = $purifier->purify($row['document_content']);
     </div>
 
     <br>
-    
+
     <div class="card">
         <div class="card-body">
             <h3><?php echo $document_name; ?></h3>
diff --git a/portal/documents.php b/portal/documents.php
index 5d950689..e6cfa819 100644
--- a/portal/documents.php
+++ b/portal/documents.php
@@ -4,7 +4,7 @@
  * Docs for PTC / technical contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/index.php b/portal/index.php
index 78528659..6e1ad752 100644
--- a/portal/index.php
+++ b/portal/index.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/invoices.php b/portal/invoices.php
index 5b74f2a4..590de567 100644
--- a/portal/invoices.php
+++ b/portal/invoices.php
@@ -4,7 +4,7 @@
  * Invoices for PTC
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/login.php b/portal/login.php
index 0400159b..f4eae805 100644
--- a/portal/login.php
+++ b/portal/login.php
@@ -4,9 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
-
-header("X-Frame-Options: DENY");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 $session_company_id = 1;
 require_once('../config.php');
@@ -162,19 +160,15 @@ if ($_SERVER['REQUEST_METHOD'] == 'POST' && isset($_POST['login'])) {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/login_create.php b/portal/login_create.php
deleted file mode 100644
index e69de29b..00000000
diff --git a/portal/login_reset.php b/portal/login_reset.php
index ba4ca8de..87b07b47 100644
--- a/portal/login_reset.php
+++ b/portal/login_reset.php
@@ -4,6 +4,8 @@
  * Password reset page
  */
 
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
+
 $session_company_id = 1;
 require_once('../config.php');
 require_once('../functions.php');
@@ -274,19 +276,15 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") {
 
 <!-- jQuery -->
 <script src="../plugins/jquery/jquery.min.js"></script>
+
 <!-- Bootstrap 4 -->
 <script src="../plugins/bootstrap/js/bootstrap.bundle.min.js"></script>
+
 <!-- AdminLTE App -->
 <script src="../dist/js/adminlte.min.js"></script>
 
-<script src="../plugins/Show-Hide-Passwords-Bootstrap-4/bootstrap-show-password.min.js"></script>
-
 <!-- Prevents resubmit on refresh or back -->
-<script>
-    if (window.history.replaceState) {
-        window.history.replaceState(null,null,window.location.href);
-    }
-</script>
+<script src="../js/login_prevent_resubmit.js"></script>
 
 </body>
 </html>
diff --git a/portal/profile.php b/portal/profile.php
index cac8630a..0a938abf 100644
--- a/portal/profile.php
+++ b/portal/profile.php
@@ -4,7 +4,7 @@
  * User profile
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once('inc_portal.php');
 ?>
diff --git a/portal/quotes.php b/portal/quotes.php
index f89d5f31..3562ad12 100644
--- a/portal/quotes.php
+++ b/portal/quotes.php
@@ -4,7 +4,7 @@
  * Quotes for PTC / billing contacts
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");
 
diff --git a/portal/tickets.php b/portal/tickets.php
index c207f83b..24b1b92d 100644
--- a/portal/tickets.php
+++ b/portal/tickets.php
@@ -4,7 +4,7 @@
  * Landing / Home page for the client portal
  */
 
-header("Content-Security-Policy: default-src 'self' https: fonts.googleapis.com");
+header("Content-Security-Policy: default-src 'self' fonts.googleapis.com fonts.gstatic.com");
 
 require_once("inc_portal.php");