From 0e233673e32ffff50dd9392fb3c371a9fff8bf0a Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 10 Oct 2015 18:59:06 -0400
Subject: Allow plugins to override CSP rules

---
 app/Controller/Base.php               |  2 +-
 app/Core/Plugin/Base.php              | 11 +++++++++++
 app/ServiceProvider/ClassProvider.php |  2 ++
 doc/plugins.markdown                  | 21 ++++++++++++++++++++-
 4 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index 480976b0..e0fd59cb 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -80,7 +80,7 @@ abstract class Base extends \Core\Base
     private function sendHeaders($action)
     {
         // HTTP secure headers
-        $this->response->csp(array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:'));
+        $this->response->csp($this->container['cspRules']);
         $this->response->nosniff();
         $this->response->xss();
 
diff --git a/app/Core/Plugin/Base.php b/app/Core/Plugin/Base.php
index a72a0cd6..1b7ac8f5 100644
--- a/app/Core/Plugin/Base.php
+++ b/app/Core/Plugin/Base.php
@@ -18,6 +18,17 @@ abstract class Base extends \Core\Base
      */
     abstract public function initialize();
 
+    /**
+     * Override default CSP rules
+     *
+     * @access public
+     * @param  array  $rules
+     */
+    public function setContentSecurityPolicy(array $rules)
+    {
+        $this->container['cspRules'] = $rules;
+    }
+
     /**
      * Returns all classes that needs to be stored in the DI container
      *
diff --git a/app/ServiceProvider/ClassProvider.php b/app/ServiceProvider/ClassProvider.php
index 8a959638..5d157749 100644
--- a/app/ServiceProvider/ClassProvider.php
+++ b/app/ServiceProvider/ClassProvider.php
@@ -126,5 +126,7 @@ class ClassProvider implements ServiceProviderInterface
         };
 
         $container['pluginLoader'] = new Loader($container);
+
+        $container['cspRules'] = array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:');
     }
 }
diff --git a/doc/plugins.markdown b/doc/plugins.markdown
index 031bf963..9e0a4cfe 100644
--- a/doc/plugins.markdown
+++ b/doc/plugins.markdown
@@ -198,7 +198,7 @@ Example to add new content in the dashboard sidebar:
 $this->template->hook->attach('template:dashboard:sidebar', 'myplugin:dashboard/sidebar');
 ```
 
-This call is usually defined in the `initialize()` method. 
+This call is usually defined in the `initialize()` method.
 The first argument is name of the hook and the second argument is the template name.
 
 Template names prefixed with the plugin name and colon indicate the location of the template.
@@ -329,6 +329,25 @@ $this->on('session.bootstrap', function($container) {
 
 The translations must be stored in `plugins/Myplugin/Locale/xx_XX/translations.php`.
 
+Override HTTP Content Security Policy
+-------------------------------------
+
+If you would like to replace the default HTTP Content Security Policy header, you can use the method `setContentSecurityPolicy()`:
+
+```php
+<?php
+
+namespace Plugin\Csp;
+
+class Plugin extends \Core\Plugin\Base
+{
+    public function initialize()
+    {
+        $this->setContentSecurityPolicy(array('script-src' => 'something'));
+    }
+}
+```
+
 Dependency Injection Container
 ------------------------------
 
-- 
cgit v1.2.3