From 0e233673e32ffff50dd9392fb3c371a9fff8bf0a Mon Sep 17 00:00:00 2001
From: Frederic Guillot <fred@kanboard.net>
Date: Sat, 10 Oct 2015 18:59:06 -0400
Subject: Allow plugins to override CSP rules

---
 app/Controller/Base.php               |  2 +-
 app/Core/Plugin/Base.php              | 11 +++++++++++
 app/ServiceProvider/ClassProvider.php |  2 ++
 3 files changed, 14 insertions(+), 1 deletion(-)

(limited to 'app')

diff --git a/app/Controller/Base.php b/app/Controller/Base.php
index 480976b0..e0fd59cb 100644
--- a/app/Controller/Base.php
+++ b/app/Controller/Base.php
@@ -80,7 +80,7 @@ abstract class Base extends \Core\Base
     private function sendHeaders($action)
     {
         // HTTP secure headers
-        $this->response->csp(array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:'));
+        $this->response->csp($this->container['cspRules']);
         $this->response->nosniff();
         $this->response->xss();
 
diff --git a/app/Core/Plugin/Base.php b/app/Core/Plugin/Base.php
index a72a0cd6..1b7ac8f5 100644
--- a/app/Core/Plugin/Base.php
+++ b/app/Core/Plugin/Base.php
@@ -18,6 +18,17 @@ abstract class Base extends \Core\Base
      */
     abstract public function initialize();
 
+    /**
+     * Override default CSP rules
+     *
+     * @access public
+     * @param  array  $rules
+     */
+    public function setContentSecurityPolicy(array $rules)
+    {
+        $this->container['cspRules'] = $rules;
+    }
+
     /**
      * Returns all classes that needs to be stored in the DI container
      *
diff --git a/app/ServiceProvider/ClassProvider.php b/app/ServiceProvider/ClassProvider.php
index 8a959638..5d157749 100644
--- a/app/ServiceProvider/ClassProvider.php
+++ b/app/ServiceProvider/ClassProvider.php
@@ -126,5 +126,7 @@ class ClassProvider implements ServiceProviderInterface
         };
 
         $container['pluginLoader'] = new Loader($container);
+
+        $container['cspRules'] = array('style-src' => "'self' 'unsafe-inline'", 'img-src' => '* data:');
     }
 }
-- 
cgit v1.2.3