From ae08602e68bb5e79686c6258a16b7d0558df58fc Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Wed, 20 Oct 2021 07:09:39 +0200
Subject: [PATCH] add hook getCspRules() in htmlStartPage()

---
 views/bootstrap/class.Bootstrap.php   | 19 +++++++++++--------
 views/bootstrap4/class.Bootstrap4.php | 19 +++++++++++--------
 2 files changed, 22 insertions(+), 16 deletions(-)

diff --git a/views/bootstrap/class.Bootstrap.php b/views/bootstrap/class.Bootstrap.php
index 0e92f8539..fef6cf190 100644
--- a/views/bootstrap/class.Bootstrap.php
+++ b/views/bootstrap/class.Bootstrap.php
@@ -58,18 +58,21 @@ class SeedDMS_Theme_Style extends SeedDMS_View_Common {
 			 * Content-Security-Policy since version 23+
 			 * 'worker-src blob:' is needed for cytoscape
 			 */
-			$csp_rules = '';
-			$csp_rules .= "script-src 'self' 'unsafe-eval'";
+			$csp_rules = [];
+			$csp_rule = "script-src 'self' 'unsafe-eval'";
 			if($this->nonces) {
-				$csp_rules .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
+				$csp_rule .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
 			}
-			$csp_rules .= ";";
-			$csp_rules .= " worker-src blob:;";
-			//$csp_rules .= "style-src 'self';";
+			$csp_rules[] = $csp_rule;
+			$csp_rules[] = "worker-src blob:";
+			//$csp_rules[] = "style-src 'self'";
 			/* Do not allow to embed myself into frames on foreigns pages */
-			$csp_rules .= " frame-ancestors 'self';";
+			$csp_rules[] = "frame-ancestors 'self'";
+			if($this->hasHook('getCspRules')) {
+				$csp_rules = $this->callHook('getCspRules', $csp_rules);
+			}
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
-				header($csp . ": " . $csp_rules);
+				header($csp . ": " . implode('; ', $csp_rules).';');
 			}
 		}
 		header('X-Content-Type-Options: nosniff');
diff --git a/views/bootstrap4/class.Bootstrap4.php b/views/bootstrap4/class.Bootstrap4.php
index 61da1600d..138c8727b 100644
--- a/views/bootstrap4/class.Bootstrap4.php
+++ b/views/bootstrap4/class.Bootstrap4.php
@@ -58,18 +58,21 @@ class SeedDMS_Theme_Style extends SeedDMS_View_Common {
 			 * Content-Security-Policy since version 23+
 			 * 'worker-src blob:' is needed for cytoscape
 			 */
-			$csp_rules = '';
-			$csp_rules .= "script-src 'self' 'unsafe-eval'";
+			$csp_rules = [];
+			$csp_rule = "script-src 'self' 'unsafe-eval'";
 			if($this->nonces) {
-				$csp_rules .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
+				$csp_rule .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
 			}
-			$csp_rules .= ";";
-			$csp_rules .= " worker-src blob:;";
-			//$csp_rules .= "style-src 'self';";
+			$csp_rules[] = $csp_rule;
+			$csp_rules[] = "worker-src blob:";
+			//$csp_rules[] = "style-src 'self'";
 			/* Do not allow to embed myself into frames on foreigns pages */
-			$csp_rules .= " frame-ancestors 'self';";
+			$csp_rules[] = "frame-ancestors 'self'";
+			if($this->hasHook('getCspRules')) {
+				$csp_rules = $this->callHook('getCspRules', $csp_rules);
+			}
 			foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
-				header($csp . ": " . $csp_rules);
+				header($csp . ": " . implode('; ', $csp_rules).';');
 			}
 		}
 		header('X-Content-Type-Options: nosniff');