commit d5e03aa3ef7e577cb737e9b021fc843696f5084a
parent e815971903ae69d51001cedc5fc4d8a7071047d7
Author: Jan Dankert <devnull@localhost>
Date: Mon, 1 Jan 2018 22:18:43 +0100
CSP in eigener Methode.
Diffstat:
1 file changed, 26 insertions(+), 17 deletions(-)
diff --git a/modules/cms-ui/UI.class.php b/modules/cms-ui/UI.class.php
@@ -42,23 +42,8 @@ class UI
$dispatcher->subaction = $subaction;
define('OR_METHOD', $subaction);
- // Content-Security-Policy
- //if (config('security','content-security-policy')) // config is not loaded yet.
- $contentSecurityPolicyEntries = array(
- 'default-src \'none\'',
- 'script-src \'self\' \'unsafe-inline\'',
- // No <object>, <embed> or <applet>.
- 'object-src \'none\'',
- 'style-src \'self\'',
- 'img-src \'self\'',
- // No <audio>, <video> elements
- 'media-src \'none\'',
- 'child-src \'self\'',
- 'form-action \'self\'',
- 'font-src \'none\'',
- // Ajax-Calls
- 'connect-src \'self\'');
- header('Content-Security-Policy: '.implode(';',$contentSecurityPolicyEntries));
+ self::setContentSecurityPolicy();
+
$data = $dispatcher->doAction();
@@ -128,4 +113,28 @@ class UI
}
+
+ /**
+ * Content-Security-Policy.
+ */
+ private static function setContentSecurityPolicy()
+ {
+ //if (config('security','content-security-policy')) // config is not loaded yet.
+ $contentSecurityPolicyEntries = array(
+ 'default-src \'none\'',
+ 'script-src \'self\' \'unsafe-inline\'',
+ // No <object>, <embed> or <applet>.
+ 'object-src \'none\'',
+ 'style-src \'self\'',
+ 'img-src \'self\'',
+ // No <audio>, <video> elements
+ 'media-src \'none\'',
+ 'child-src \'self\'',
+ 'form-action \'self\'',
+ 'font-src \'none\'',
+ // Ajax-Calls
+ 'connect-src \'self\'');
+ header('Content-Security-Policy: ' . implode(';', $contentSecurityPolicyEntries));
+ }
+
}
