beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Allow customizing CSP

Browse source
This commit is contained in:
Jakub Vrana 2018-01-09 18:53:17 +01:00
parent 541c3c1fed
commit 4be72a2a0d
4 changed files with 36 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
adminer/include/adminer.inc.php
View file

@ -70,6 +70,13 @@ class Adminer {
function headers() { function headers() {
} }
/** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value
*/
function csp() {
return csp();
}
/** Print HTML code inside <head> /** Print HTML code inside <head>
* @return bool true to link adminer.css if exists * @return bool true to link adminer.css if exists
*/ */

21
adminer/include/design.inc.php
View file

@ -91,10 +91,29 @@ function page_headers() {
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
header("X-Content-Type-Options: nosniff"); header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: origin-when-cross-origin"); header("Referrer-Policy: origin-when-cross-origin");
header("Content-Security-Policy: default-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; connect-src 'self'; img-src 'self' data:; frame-src https://www.adminer.org; form-action 'self'"); $csp = array();
foreach ($adminer->csp() as $key => $val) {
$csp[] = "$key $val";
}
header("Content-Security-Policy: " . implode("; ", $csp));
$adminer->headers(); $adminer->headers();
} }
/** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value
*/
function csp() {
return array(
"default-src" => "'none'",
"script-src" => "'self' 'unsafe-inline'",
"style-src" => "'self' 'unsafe-inline'",
"connect-src" => "'self'",
"img-src" => "'self' data:",
"frame-src" => "https://www.adminer.org",
"form-action" => "'self'",
);
}
/** Print flash and error messages /** Print flash and error messages
* @param string * @param string
* @return null * @return null

4
editor/include/adminer.inc.php
View file

@ -47,6 +47,10 @@ class Adminer {
function headers() { function headers() {
} }
function csp() {
return csp();
}
function head() { function head() {
return true; return true;
} }

5
plugins/plugin.php
View file

@ -127,6 +127,11 @@ class AdminerPlugin extends Adminer {
return $this->_applyPlugin(__FUNCTION__, $args); return $this->_applyPlugin(__FUNCTION__, $args);
} }
function csp() {
$args = func_get_args();
return $this->_applyPlugin(__FUNCTION__, $args);
}
function head() { function head() {
$args = func_get_args(); $args = func_get_args();
return $this->_applyPlugin(__FUNCTION__, $args); return $this->_applyPlugin(__FUNCTION__, $args);