aboutsummaryrefslogtreecommitdiffstats
path: root/doc/hook/content_security_policy.bb
diff options
context:
space:
mode:
authorM.Dent (DM42.Net) <dentm42@gmail.com>2018-09-19 21:18:06 -0400
committerM.Dent (DM42.Net) <dentm42@gmail.com>2018-09-19 21:18:06 -0400
commitf2c59b3881d50dce907821054d9b79df4d009827 (patch)
treef53cf1743e28008a371eb19c0d8fb2dc2c18453e /doc/hook/content_security_policy.bb
parent34fec995f711b03bc19580ee9e57c22712cf51df (diff)
downloadvolse-hubzilla-f2c59b3881d50dce907821054d9b79df4d009827.tar.gz
volse-hubzilla-f2c59b3881d50dce907821054d9b79df4d009827.tar.bz2
volse-hubzilla-f2c59b3881d50dce907821054d9b79df4d009827.zip
Document new hooks
Diffstat (limited to 'doc/hook/content_security_policy.bb')
-rw-r--r--doc/hook/content_security_policy.bb39
1 files changed, 39 insertions, 0 deletions
diff --git a/doc/hook/content_security_policy.bb b/doc/hook/content_security_policy.bb
new file mode 100644
index 000000000..96b8095ae
--- /dev/null
+++ b/doc/hook/content_security_policy.bb
@@ -0,0 +1,39 @@
+[h2]content_security_policy[/h2]
+
+Called to modify CSP settings prior to the output of the Content-Security-Policy header.
+
+This hook permits addons to modify the content-security-policy if necessary to allow loading of foreign js libraries or css styles.
+
+[code]
+if(App::$config['system']['content_security_policy']) {
+ $cspsettings = Array (
+ 'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"),
+ 'style-src' => Array ("'self'","'unsafe-inline'")
+ );
+ call_hooks('content_security_policy',$cspsettings);
+
+ // Legitimate CSP directives (cxref: https://content-security-policy.com/)
+ $validcspdirectives=Array(
+ "default-src", "script-src", "style-src",
+ "img-src", "connect-src", "font-src",
+ "object-src", "media-src", 'frame-src',
+ 'sandbox', 'report-uri', 'child-src',
+ 'form-action', 'frame-ancestors', 'plugin-types'
+ );
+ $cspheader = "Content-Security-Policy:";
+ foreach ($cspsettings as $cspdirective => $csp) {
+ if (!in_array($cspdirective,$validcspdirectives)) {
+ logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG);
+ continue;
+ }
+ $cspsettingsarray=array_unique($cspsettings[$cspdirective]);
+ $cspsetpolicy = implode(' ',$cspsettingsarray);
+ if ($cspsetpolicy) {
+ $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";";
+ }
+ }
+ header($cspheader);
+}
+[/code]
+
+see: boot.php