beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Allow sending multiple CSP headers

Browse source
This commit is contained in:
Jakub Vrana 2018-01-17 11:05:59 +01:00
parent 16e05167a4
commit ba9099f084
2 changed files with 17 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
adminer/include/adminer.inc.php
View file

@ -71,7 +71,7 @@ class Adminer {
}
/** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value
* @return array of arrays with directive name in key, allowed sources in value
*/
function csp() {
return csp();

30
adminer/include/design.inc.php
View file

@ -93,28 +93,30 @@ function page_headers() {
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: origin-when-cross-origin");
$csp = array();
foreach ($adminer->csp() as $key => $val) {
$csp[] = "$key $val";
}
if ($csp) {
header("Content-Security-Policy: " . implode("; ", $csp));
foreach ($adminer->csp() as $csp) {
$header = array();
foreach ($csp as $key => $val) {
$header[] = "$key $val";
}
header("Content-Security-Policy: " . implode("; ", $header));
}
$adminer->headers();
}
/** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value
* @return array of arrays with directive name in key, allowed sources in value
*/
function csp() {
return array(
"default-src" => "'none'",
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
"style-src" => "'self' 'unsafe-inline'",
"connect-src" => "'self'",
"img-src" => "'self' data:",
"frame-src" => "https://www.adminer.org",
"form-action" => "'self'",
array(
"default-src" => "'none'",
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
"style-src" => "'self' 'unsafe-inline'",
"connect-src" => "'self'",
"img-src" => "'self' data:",
"frame-src" => "https://www.adminer.org",
"form-action" => "'self'",
),
);
}