aboutsummaryrefslogtreecommitdiffstats
path: root/boot.php
diff options
context:
space:
mode:
authorM. Dent <dentm42@gmail.com>2018-07-13 09:34:48 +0200
committerMario <mario@mariovavti.com>2018-07-13 09:34:48 +0200
commit38cc88c861f1c646fe5896635b1981acc2760586 (patch)
treed42b6d903088c0d64f69f1cb52520b8eba423423 /boot.php
parent48e74035f26ed8228ae834c633056fdc87668b71 (diff)
downloadvolse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.tar.gz
volse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.tar.bz2
volse-hubzilla-38cc88c861f1c646fe5896635b1981acc2760586.zip
Hookable csp mr
Diffstat (limited to 'boot.php')
-rwxr-xr-xboot.php33
1 files changed, 30 insertions, 3 deletions
diff --git a/boot.php b/boot.php
index e13910ecf..3b8347c30 100755
--- a/boot.php
+++ b/boot.php
@@ -1720,7 +1720,7 @@ function can_view_public_stream() {
if(observer_prohibited(true)) {
return false;
}
-
+
if(! (intval(get_config('system','open_pubstream',1)))) {
if(! get_observer_hash()) {
return false;
@@ -2234,8 +2234,35 @@ function construct_page() {
if(App::get_scheme() === 'https' && App::$config['system']['transport_security_header'])
header("Strict-Transport-Security: max-age=31536000");
- if(App::$config['system']['content_security_policy'])
- header("Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'");
+ if(App::$config['system']['content_security_policy']) {
+ $cspsettings = Array (
+ 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"),
+ 'style-src' => Array ("'self'","'unsafe-inline'")
+ );
+ call_hooks('content_security_policy',$cspsettings);
+
+ // Legitimate CSP directives (cxref: https://content-security-policy.com/)
+ $validcspdirectives=Array(
+ "default-src", "script-src", "style-src",
+ "img-src", "connect-src", "font-src",
+ "object-src", "media-src", 'frame-src',
+ 'sandbox', 'report-uri', 'child-src',
+ 'form-action', 'frame-ancestors', 'plugin-types'
+ );
+ $cspheader = "Content-Security-Policy:";
+ foreach ($cspsettings as $cspdirective => $csp) {
+ if (!in_array($cspdirective,$validcspdirectives)) {
+ logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG);
+ continue;
+ }
+ $cspsettingsarray=array_unique($cspsettings[$cspdirective]);
+ $cspsetpolicy = implode(' ',$cspsettingsarray);
+ if ($cspsetpolicy) {
+ $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";";
+ }
+ }
+ header($cspheader);
+ }
if(App::$config['system']['x_security_headers']) {
header("X-Frame-Options: SAMEORIGIN");