commit 557fcfe0d615d4189315ff8942538c73c8239903
parent 419ebc518ae0ced262e938d9fcf557c12e9df278
Author: Jan Dankert <develop@jandankert.de>
Date: Sat, 14 Nov 2020 00:19:16 +0100
Overwrite the content security policy by configuration setting.
Diffstat:
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/modules/cms/ui/UI.class.php b/modules/cms/ui/UI.class.php
@@ -125,12 +125,10 @@ class UI
*/
private static function setContentSecurityPolicy()
{
- // config is not loaded yet.
- $contentSecurityPolicyEntries = [
- 'default-src \'self\'', // Default for all is 'self'
- 'frame-src *' // For preview of urls we need to show every url in an iframe.
- ];
- header('Content-Security-Policy: ' . implode(';', $contentSecurityPolicyEntries));
+ // config is not loaded yet. Allow nothing...
+ header('Content-Security-Policy: default-src \'none\'' );
+
+ // This will be overwritten by the index action
}
diff --git a/modules/cms/ui/action/IndexAction.class.php b/modules/cms/ui/action/IndexAction.class.php
@@ -93,6 +93,8 @@ class IndexAction extends Action
*/
public function showView()
{
+ $this->setContentSecurityPolicy();
+
$user = Session::getUser();
// Is a user logged in?
@@ -389,4 +391,22 @@ class IndexAction extends Action
return $style;
}
+
+
+
+ /**
+ * Content-Security-Policy.
+ */
+ private function setContentSecurityPolicy()
+ {
+ $csp = Configuration::subset('security' )->get('csp', [
+ 'default-src' =>'\'self\'', // Default for all is 'self' (CSS, styles, etc)
+ 'frame-src' => '*' // For preview of urls we need to show every url in an iframe.
+ ] );
+
+ header('Content-Security-Policy: ' . implode(';', array_map( function($value,$key) {
+ return $key.' '.$value;
+ },$csp,array_keys($csp) )));
+ }
+
}
