From 4be72a2a0d942f944d772212f3799798dd0ebd65 Mon Sep 17 00:00:00 2001 From: Jakub Vrana Date: Tue, 9 Jan 2018 18:53:17 +0100 Subject: [PATCH] Allow customizing CSP --- adminer/include/adminer.inc.php | 7 +++++++ adminer/include/design.inc.php | 21 ++++++++++++++++++++- editor/include/adminer.inc.php | 4 ++++ plugins/plugin.php | 5 +++++ 4 files changed, 36 insertions(+), 1 deletion(-) diff --git a/adminer/include/adminer.inc.php b/adminer/include/adminer.inc.php index c25a8e0a..20637cc0 100644 --- a/adminer/include/adminer.inc.php +++ b/adminer/include/adminer.inc.php @@ -70,6 +70,13 @@ class Adminer { function headers() { } + /** Get Content Security Policy headers + * @return array directive name in key, allowed sources in value + */ + function csp() { + return csp(); + } + /** Print HTML code inside * @return bool true to link adminer.css if exists */ diff --git a/adminer/include/design.inc.php b/adminer/include/design.inc.php index 3ec43467..a90f103c 100644 --- a/adminer/include/design.inc.php +++ b/adminer/include/design.inc.php @@ -91,10 +91,29 @@ function page_headers() { header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page header("X-Content-Type-Options: nosniff"); header("Referrer-Policy: origin-when-cross-origin"); - header("Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; frame-src https://www.adminer.org; form-action 'self'"); + $csp = array(); + foreach ($adminer->csp() as $key => $val) { + $csp[] = "$key $val"; + } + header("Content-Security-Policy: " . implode("; ", $csp)); $adminer->headers(); } +/** Get Content Security Policy headers +* @return array directive name in key, allowed sources in value +*/ +function csp() { + return array( + "default-src" => "'none'", + "script-src" => "'self' 'unsafe-inline'", + "style-src" => "'self' 'unsafe-inline'", + "connect-src" => "'self'", + "img-src" => "'self' data:", + "frame-src" => "https://www.adminer.org", + "form-action" => "'self'", + ); +} + /** Print flash and error messages * @param string * @return null diff --git a/editor/include/adminer.inc.php b/editor/include/adminer.inc.php index 4c55d937..8f6275ae 100644 --- a/editor/include/adminer.inc.php +++ b/editor/include/adminer.inc.php @@ -47,6 +47,10 @@ class Adminer { function headers() { } + function csp() { + return csp(); + } + function head() { return true; } diff --git a/plugins/plugin.php b/plugins/plugin.php index c2c6aa0d..20a80c2a 100644 --- a/plugins/plugin.php +++ b/plugins/plugin.php @@ -127,6 +127,11 @@ class AdminerPlugin extends Adminer { return $this->_applyPlugin(__FUNCTION__, $args); } + function csp() { + $args = func_get_args(); + return $this->_applyPlugin(__FUNCTION__, $args); + } + function head() { $args = func_get_args(); return $this->_applyPlugin(__FUNCTION__, $args);