commit 569f5add22c759f3cd82e16741aab628b51bcdd8
parent 65ff0c4626c6d2268b63db59f23bb9d8e1b01e6c
Author: Jan Dankert <devnull@localhost>
Date: Sun, 31 Dec 2017 02:53:01 +0100
Nur Kommentare...
Diffstat:
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/modules/cms-ui/UI.class.php b/modules/cms-ui/UI.class.php
@@ -46,12 +46,16 @@ class UI
//if (config('security','content-security-policy')) // config is not loaded yet.
$csp = array('default-src \'none\'',
'script-src \'self\' \'unsafe-inline\'',
+ // No <object>, <embed> or <applet>.
'object-src \'none\'',
'style-src \'self\' \'unsafe-inline\'',
'img-src \'self\'',
+ // No <audio>, <video> elements
'media-src \'none\'',
- 'frame-src \'self\'',
+ 'child-src \'self\'',
+ 'form-action \'self\'',
'font-src \'none\'',
+ // Ajax-Calls
'connect-src \'self\'');
header('Content-Security-Policy: '.implode(';',$csp));
