Allow sending multiple CSP headers
This commit is contained in:
parent
16e05167a4
commit
ba9099f084
|
@ -71,7 +71,7 @@ class Adminer {
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Get Content Security Policy headers
|
/** Get Content Security Policy headers
|
||||||
* @return array directive name in key, allowed sources in value
|
* @return array of arrays with directive name in key, allowed sources in value
|
||||||
*/
|
*/
|
||||||
function csp() {
|
function csp() {
|
||||||
return csp();
|
return csp();
|
||||||
|
|
|
@ -93,21 +93,22 @@ function page_headers() {
|
||||||
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
|
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
|
||||||
header("X-Content-Type-Options: nosniff");
|
header("X-Content-Type-Options: nosniff");
|
||||||
header("Referrer-Policy: origin-when-cross-origin");
|
header("Referrer-Policy: origin-when-cross-origin");
|
||||||
$csp = array();
|
foreach ($adminer->csp() as $csp) {
|
||||||
foreach ($adminer->csp() as $key => $val) {
|
$header = array();
|
||||||
$csp[] = "$key $val";
|
foreach ($csp as $key => $val) {
|
||||||
|
$header[] = "$key $val";
|
||||||
}
|
}
|
||||||
if ($csp) {
|
header("Content-Security-Policy: " . implode("; ", $header));
|
||||||
header("Content-Security-Policy: " . implode("; ", $csp));
|
|
||||||
}
|
}
|
||||||
$adminer->headers();
|
$adminer->headers();
|
||||||
}
|
}
|
||||||
|
|
||||||
/** Get Content Security Policy headers
|
/** Get Content Security Policy headers
|
||||||
* @return array directive name in key, allowed sources in value
|
* @return array of arrays with directive name in key, allowed sources in value
|
||||||
*/
|
*/
|
||||||
function csp() {
|
function csp() {
|
||||||
return array(
|
return array(
|
||||||
|
array(
|
||||||
"default-src" => "'none'",
|
"default-src" => "'none'",
|
||||||
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
|
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
|
||||||
"style-src" => "'self' 'unsafe-inline'",
|
"style-src" => "'self' 'unsafe-inline'",
|
||||||
|
@ -115,6 +116,7 @@ function csp() {
|
||||||
"img-src" => "'self' data:",
|
"img-src" => "'self' data:",
|
||||||
"frame-src" => "https://www.adminer.org",
|
"frame-src" => "https://www.adminer.org",
|
||||||
"form-action" => "'self'",
|
"form-action" => "'self'",
|
||||||
|
),
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue