diff options
author | M. Dent <dentm42@gmail.com> | 2018-07-13 09:34:48 +0200 |
---|---|---|
committer | Mario <mario@mariovavti.com> | 2018-07-13 09:34:48 +0200 |
commit | 38cc88c861f1c646fe5896635b1981acc2760586 (patch) | |
tree | d42b6d903088c0d64f69f1cb52520b8eba423423 /boot.php | |
parent | 48e74035f26ed8228ae834c633056fdc87668b71 (diff) | |
download | volse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.tar.gz volse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.tar.bz2 volse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.zip |
Hookable csp mr
Diffstat (limited to 'boot.php')
-rwxr-xr-x | boot.php | 33 |
1 files changed, 30 insertions, 3 deletions
@@ -1720,7 +1720,7 @@ function can_view_public_stream() { if(observer_prohibited(true)) { return false; } - + if(! (intval(get_config('system','open_pubstream',1)))) { if(! get_observer_hash()) { return false; @@ -2234,8 +2234,35 @@ function construct_page() { if(App::get_scheme() === 'https' && App::$config['system']['transport_security_header']) header("Strict-Transport-Security: max-age=31536000"); - if(App::$config['system']['content_security_policy']) - header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'"); + if(App::$config['system']['content_security_policy']) { + $cspsettings = Array ( + 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"), + 'style-src' => Array ("'self'","'unsafe-inline'") + ); + call_hooks('content_security_policy',$cspsettings); + + // Legitimate CSP directives (cxref: https://content-security-policy.com/) + $validcspdirectives=Array( + "default-src", "script-src", "style-src", + "img-src", "connect-src", "font-src", + "object-src", "media-src", 'frame-src', + 'sandbox', 'report-uri', 'child-src', + 'form-action', 'frame-ancestors', 'plugin-types' + ); + $cspheader = "Content-Security-Policy:"; + foreach ($cspsettings as $cspdirective => $csp) { + if (!in_array($cspdirective,$validcspdirectives)) { + logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG); + continue; + } + $cspsettingsarray=array_unique($cspsettings[$cspdirective]); + $cspsetpolicy = implode(' ',$cspsettingsarray); + if ($cspsetpolicy) { + $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";"; + } + } + header($cspheader); + } if(App::$config['system']['x_security_headers']) { header("X-Frame-Options: SAMEORIGIN"); |