beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Allow sending multiple CSP headers

Browse source
This commit is contained in:
Jakub Vrana 2018-01-17 11:05:59 +01:00
parent 16e05167a4
commit ba9099f084
2 changed files with 17 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
adminer/include/adminer.inc.php
View file

@ -71,7 +71,7 @@ class Adminer {
} }
/** Get Content Security Policy headers /** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value * @return array of arrays with directive name in key, allowed sources in value
*/ */
function csp() { function csp() {
return csp(); return csp();

30
adminer/include/design.inc.php
View file

@ -93,28 +93,30 @@ function page_headers() {
header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page header("X-XSS-Protection: 0"); // prevents introducing XSS in IE8 by removing safe parts of the page
header("X-Content-Type-Options: nosniff"); header("X-Content-Type-Options: nosniff");
header("Referrer-Policy: origin-when-cross-origin"); header("Referrer-Policy: origin-when-cross-origin");
$csp = array(); foreach ($adminer->csp() as $csp) {
foreach ($adminer->csp() as $key => $val) { $header = array();
$csp[] = "$key $val"; foreach ($csp as $key => $val) {
} $header[] = "$key $val";
if ($csp) { }
header("Content-Security-Policy: " . implode("; ", $csp)); header("Content-Security-Policy: " . implode("; ", $header));
} }
$adminer->headers(); $adminer->headers();
} }
/** Get Content Security Policy headers /** Get Content Security Policy headers
* @return array directive name in key, allowed sources in value * @return array of arrays with directive name in key, allowed sources in value
*/ */
function csp() { function csp() {
return array( return array(
"default-src" => "'none'", array(
"script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-' "default-src" => "'none'",
"style-src" => "'self' 'unsafe-inline'", "script-src" => "'self' 'unsafe-inline' 'nonce-" . get_nonce() . "' 'strict-dynamic'", // 'self' is a fallback for browsers not supporting 'strict-dynamic', 'unsafe-inline' is a fallback for browsers not supporting 'nonce-'
"connect-src" => "'self'", "style-src" => "'self' 'unsafe-inline'",
"img-src" => "'self' data:", "connect-src" => "'self'",
"frame-src" => "https://www.adminer.org", "img-src" => "'self' data:",
"form-action" => "'self'", "frame-src" => "https://www.adminer.org",
"form-action" => "'self'",
),
); );
} }