diff options
| author | Frederic Guillot <fred@kanboard.net> | 2015-10-10 18:59:06 -0400 |
|---|---|---|
| committer | Frederic Guillot <fred@kanboard.net> | 2015-10-10 18:59:06 -0400 |
| commit | 0e233673e32ffff50dd9392fb3c371a9fff8bf0a (patch) | |
| tree | f7e3b24813c28f122de1b42dcf3784faabb3ae2f /app | |
| parent | e3521db6a83639b409e2dd7abb19417f3ac0a9cd (diff) | |
Allow plugins to override CSP rules
Diffstat (limited to 'app')
| -rw-r--r-- | app/Controller/Base.php | 2 | ||||
| -rw-r--r-- | app/Core/Plugin/Base.php | 11 | ||||
| -rw-r--r-- | app/ServiceProvider/ClassProvider.php | 2 |
3 files changed, 14 insertions, 1 deletions
diff --git a/app/Controller/Base.php b/app/Controller/Base.php index 480976b0..e0fd59cb 100644 --- a/app/Controller/Base.php +++ b/app/Controller/Base.php @@ -80,7 +80,7 @@ abstract class Base extends \Core\Base private function sendHeaders($action) { // HTTP secure headers - $this->response->csp(array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:')); + $this->response->csp($this->container['cspRules']); $this->response->nosniff(); $this->response->xss(); diff --git a/app/Core/Plugin/Base.php b/app/Core/Plugin/Base.php index a72a0cd6..1b7ac8f5 100644 --- a/app/Core/Plugin/Base.php +++ b/app/Core/Plugin/Base.php @@ -19,6 +19,17 @@ abstract class Base extends \Core\Base abstract public function initialize(); /** + * Override default CSP rules + * + * @access public + * @param array $rules + */ + public function setContentSecurityPolicy(array $rules) + { + $this->container['cspRules'] = $rules; + } + + /** * Returns all classes that needs to be stored in the DI container * * @access public diff --git a/app/ServiceProvider/ClassProvider.php b/app/ServiceProvider/ClassProvider.php index 8a959638..5d157749 100644 --- a/app/ServiceProvider/ClassProvider.php +++ b/app/ServiceProvider/ClassProvider.php @@ -126,5 +126,7 @@ class ClassProvider implements ServiceProviderInterface }; $container['pluginLoader'] = new Loader($container); + + $container['cspRules'] = array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:'); } } |