gnh1201/seeddms-code
1
0
Fork 0
mirror of https://git.code.sf.net/p/seeddms/code synced 2025-10-31 05:11:27 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add hook getCspRules() in htmlStartPage()

Browse Source
This commit is contained in:
Uwe Steinmann 2021-10-20 07:09:39 +02:00
parent 359be28912
commit ae08602e68
2 changed files with 22 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
views/bootstrap/class.Bootstrap.php
View File

@ -58,18 +58,21 @@ class SeedDMS_Theme_Style extends SeedDMS_View_Common {
* Content-Security-Policy since version 23+ * Content-Security-Policy since version 23+
* 'worker-src blob:' is needed for cytoscape * 'worker-src blob:' is needed for cytoscape
*/ */
$csp_rules = ''; $csp_rules = [];
$csp_rules .= "script-src 'self' 'unsafe-eval'"; $csp_rule = "script-src 'self' 'unsafe-eval'";
if($this->nonces) { if($this->nonces) {
$csp_rules .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'"; $csp_rule .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
} }
$csp_rules .= ";"; $csp_rules[] = $csp_rule;
$csp_rules .= " worker-src blob:;"; $csp_rules[] = "worker-src blob:";
//$csp_rules .= "style-src 'self';"; //$csp_rules[] = "style-src 'self'";
/* Do not allow to embed myself into frames on foreigns pages */ /* Do not allow to embed myself into frames on foreigns pages */
$csp_rules .= " frame-ancestors 'self';"; $csp_rules[] = "frame-ancestors 'self'";
if($this->hasHook('getCspRules')) {
$csp_rules = $this->callHook('getCspRules', $csp_rules);
}
foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) { foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
header($csp . ": " . $csp_rules); header($csp . ": " . implode('; ', $csp_rules).';');
} }
} }
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');

19
views/bootstrap4/class.Bootstrap4.php
View File

@ -58,18 +58,21 @@ class SeedDMS_Theme_Style extends SeedDMS_View_Common {
* Content-Security-Policy since version 23+ * Content-Security-Policy since version 23+
* 'worker-src blob:' is needed for cytoscape * 'worker-src blob:' is needed for cytoscape
*/ */
$csp_rules = ''; $csp_rules = [];
$csp_rules .= "script-src 'self' 'unsafe-eval'"; $csp_rule = "script-src 'self' 'unsafe-eval'";
if($this->nonces) { if($this->nonces) {
$csp_rules .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'"; $csp_rule .= " 'nonce-".implode("' 'nonce-", $this->nonces)."'";
} }
$csp_rules .= ";"; $csp_rules[] = $csp_rule;
$csp_rules .= " worker-src blob:;"; $csp_rules[] = "worker-src blob:";
//$csp_rules .= "style-src 'self';"; //$csp_rules[] = "style-src 'self'";
/* Do not allow to embed myself into frames on foreigns pages */ /* Do not allow to embed myself into frames on foreigns pages */
$csp_rules .= " frame-ancestors 'self';"; $csp_rules[] = "frame-ancestors 'self'";
if($this->hasHook('getCspRules')) {
$csp_rules = $this->callHook('getCspRules', $csp_rules);
}
foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) { foreach (array("X-WebKit-CSP", "X-Content-Security-Policy", "Content-Security-Policy") as $csp) {
header($csp . ": " . $csp_rules); header($csp . ": " . implode('; ', $csp_rules).';');
} }
} }
header('X-Content-Type-Options: nosniff'); header('X-Content-Type-Options: nosniff');