aboutsummaryrefslogtreecommitdiffstats
path: root/doc/en/hook/content_security_policy.bb
blob: 96b8095ae56f730814d4873c52a0bd86f29ac97b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[h2]content_security_policy[/h2]

Called to modify CSP settings prior to the output of the Content-Security-Policy header.

This hook permits addons to modify the content-security-policy if necessary to allow loading of foreign js libraries or css styles.

[code]
if(App::$config['system']['content_security_policy']) {
        $cspsettings = Array (
                'script-src' => Array ("'self'","'unsafe-inline'","'unsafe-eval'"),
                'style-src' => Array ("'self'","'unsafe-inline'")
        );
        call_hooks('content_security_policy',$cspsettings);

        // Legitimate CSP directives (cxref: https://content-security-policy.com/)
        $validcspdirectives=Array(
                "default-src", "script-src", "style-src",
                "img-src", "connect-src", "font-src",
                "object-src", "media-src", 'frame-src',
                'sandbox', 'report-uri', 'child-src',
                'form-action', 'frame-ancestors', 'plugin-types'
        );
        $cspheader = "Content-Security-Policy:";
        foreach ($cspsettings as $cspdirective => $csp) {
                if (!in_array($cspdirective,$validcspdirectives)) {
                        logger("INVALID CSP DIRECTIVE: ".$cspdirective,LOGGER_DEBUG);
                        continue;
                }
                $cspsettingsarray=array_unique($cspsettings[$cspdirective]);
                $cspsetpolicy = implode(' ',$cspsettingsarray);
                if ($cspsetpolicy) {
                        $cspheader .= " ".$cspdirective." ".$cspsetpolicy.";";
                }
        }
        header($cspheader);
}
[/code]

see: boot.php