Changeset 3291:34af0b763d82 for inc

Timestamp:

07/24/16 14:30:20 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Put CSP activation and directives in settings, thanks Gvx for report.

Location:

inc

Files:

• admin/lib.dc.page.php (modified) (1 diff)
• dbschema/upgrade.php (modified) (2 diffs)

inc/admin/lib.dc.page.php

@@ -102 +102 @@
           }
 
-          # Content-Security-Policy (report only up to now)
-          $headers['csp'] =
-               "Content-Security-Policy: ".
-                    "default-src 'self' ; ".
-                    "script-src 'self' 'unsafe-inline' 'unsafe-eval' ; ".
-                    "style-src 'self' 'unsafe-inline' ; ".
-                    "img-src 'self' data: media.dotaddict.org".
-                    (version_compare(phpversion(),'5.4','>=') ? " ; report-uri ".DC_ADMIN_URL."csp_report.php" : '');
+          # Content-Security-Policy
+          if ($core->blog->settings->system->csp_admin_on) {
+               $headers['csp'] =
+                    "Content-Security-Policy: ".
+                         "default-src ".($core->blog->settings->system->csp_admin_default ? $core->blog->settings->system->csp_admin_default : 'self')." ; ".
+                         "script-src ".($core->blog->settings->system->csp_admin_script ? $core->blog->settings->system->csp_admin_script : "'self' 'unsafe-inline' 'unsafe-eval'")." ; ".
+                         "style-src ".($core->blog->settings->system->csp_admin_style ? $core->blog->settings->system->csp_admin_style : "'self' 'unsafe-inline'")." ; ".
+                         "img-src ".($core->blog->settings->system->csp_admin_img ? $core->blog->settings->system->csp_admin_img : "'self' data: media.dotaddict.org").
+                         (version_compare(phpversion(),'5.4','>=') ? " ; report-uri ".DC_ADMIN_URL."csp_report.php" : '');
+          }
 
           # --BEHAVIOR-- adminPageHTTPHeaders

inc/dbschema/upgrade.php

@@ -568 +568 @@
                          ' (setting_id,setting_ns,setting_value,setting_type,setting_label)'.
                          ' VALUES(\'%s\',\'system\',\'%s\',\'%s\',\'%s\')';
+               # Import feed control
                $core->con->execute(
                     sprintf($strReq,'import_feed_url_control',true,'boolean','Control feed URL before import'));
@@ -576 +577 @@
                $core->con->execute(
                     sprintf($strReq,'import_feed_port_regexp','/^(80|443)$/','string','Authorize import feed only from this port regexp'));
+               # CSP directive (admin part)
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_on',true,'boolean','Send CSP header (admin)'));
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_default',"\'self\'",'string','CSP default-src directive'));
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_script',"\'self\' \'unsafe-inline\' \'unsafe-eval\'",'string','CSP script-src directive'));
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_style',"\'self\' \'unsafe-inline\'",'string','CSP style-src directive'));
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_img',"\'self\' data: media.dotaddict.org",'string','CSP img-src directive'));
           }