Changeset 3291:34af0b763d82 for inc/admin

Timestamp:

07/24/16 14:30:20 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Put CSP activation and directives in settings, thanks Gvx for report.

File:

• inc/admin/lib.dc.page.php (modified) (1 diff)

inc/admin/lib.dc.page.php

@@ -102 +102 @@
           }
 
-          # Content-Security-Policy (report only up to now)
-          $headers['csp'] =
-               "Content-Security-Policy: ".
-                    "default-src 'self' ; ".
-                    "script-src 'self' 'unsafe-inline' 'unsafe-eval' ; ".
-                    "style-src 'self' 'unsafe-inline' ; ".
-                    "img-src 'self' data: media.dotaddict.org".
-                    (version_compare(phpversion(),'5.4','>=') ? " ; report-uri ".DC_ADMIN_URL."csp_report.php" : '');
+          # Content-Security-Policy
+          if ($core->blog->settings->system->csp_admin_on) {
+               $headers['csp'] =
+                    "Content-Security-Policy: ".
+                         "default-src ".($core->blog->settings->system->csp_admin_default ? $core->blog->settings->system->csp_admin_default : 'self')." ; ".
+                         "script-src ".($core->blog->settings->system->csp_admin_script ? $core->blog->settings->system->csp_admin_script : "'self' 'unsafe-inline' 'unsafe-eval'")." ; ".
+                         "style-src ".($core->blog->settings->system->csp_admin_style ? $core->blog->settings->system->csp_admin_style : "'self' 'unsafe-inline'")." ; ".
+                         "img-src ".($core->blog->settings->system->csp_admin_img ? $core->blog->settings->system->csp_admin_img : "'self' data: media.dotaddict.org").
+                         (version_compare(phpversion(),'5.4','>=') ? " ; report-uri ".DC_ADMIN_URL."csp_report.php" : '');
+          }
 
           # --BEHAVIOR-- adminPageHTTPHeaders