diff options
| author | Mario Vavti <mario@mariovavti.com> | 2018-09-20 12:10:39 +0200 |
|---|---|---|
| committer | Mario Vavti <mario@mariovavti.com> | 2018-09-20 12:10:39 +0200 |
| commit | a6db822a696afe808d9c8cb34af1075a42fffada (patch) | |
| tree | 6692324758d22afa7d0588a8262d53eabde99ee7 /doc/hook/content_security_policy.bb | |
| parent | ad8226d549f40a1ae1ea47a83778afffb9230042 (diff) | |
| parent | 1b2732705782a6369bdff0c00b650dfc5c1353a9 (diff) | |
| download | volse-hubzilla-a6db822a696afe808d9c8cb34af1075a42fffada.tar.gz volse-hubzilla-a6db822a696afe808d9c8cb34af1075a42fffada.tar.bz2 volse-hubzilla-a6db822a696afe808d9c8cb34af1075a42fffada.zip | |
Merge branch 'dev' of https://framagit.org/hubzilla/core into dev
Diffstat (limited to 'doc/hook/content_security_policy.bb')
| -rw-r--r-- | doc/hook/content_security_policy.bb | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/doc/hook/content_security_policy.bb b/doc/hook/content_security_policy.bb new file mode 100644 index 000000000..96b8095ae --- /dev/null +++ b/doc/hook/content_security_policy.bb @@ -0,0 +1,39 @@ +[h2]content_security_policy[/h2] + +Called to modify CSP settings prior to the output of the Content-Security-Policy header. + +This hook permits addons to modify the content-security-policy if necessary to allow loading of foreign js libraries or css styles. + +[code] +if(App::$config['system']['content_security_policy']) { + $cspsettings = Array ( + 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"), + 'style-src' => Array ("'self'","'unsafe-inline'") + ); + call_hooks('content_security_policy',$cspsettings); + + // Legitimate CSP directives (cxref: https://content-security-policy.com/) + $validcspdirectives=Array( + "default-src", "script-src", "style-src", + "img-src", "connect-src", "font-src", + "object-src", "media-src", 'frame-src', + 'sandbox', 'report-uri', 'child-src', + 'form-action', 'frame-ancestors', 'plugin-types' + ); + $cspheader = "Content-Security-Policy:"; + foreach ($cspsettings as $cspdirective => $csp) { + if (!in_array($cspdirective,$validcspdirectives)) { + logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG); + continue; + } + $cspsettingsarray=array_unique($cspsettings[$cspdirective]); + $cspsetpolicy = implode(' ',$cspsettingsarray); + if ($cspsetpolicy) { + $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";"; + } + } + header($cspheader); +} +[/code] + +see: boot.php |