Changeset 3326:6735e0420ee9

Timestamp:

08/27/16 12:34:53 (9 years ago)

Author:

franck <carnet.franck.paul@…>

Branch:

default

Message:

Add a CSP Report only option for admin (see about:config), default → false

Files:

admin/install/index.php

r3303	r3326
172	172	# CSP directive (admin part)
173	173	$blog_settings->system->put('csp_admin_on',true,'boolean','Send CSP header (admin)',true,true);
	174	$blog_settings->system->put('csp_admin_report_only',false,'boolean','CSP Report only violations (admin)',true,true);
174	175	$blog_settings->system->put('csp_admin_default',"'self'",'string','CSP default-src directive',true,true);
175	176	$blog_settings->system->put('csp_admin_script',"'self' 'unsafe-inline' 'unsafe-eval'",'string','CSP script-src directive',true,true);

r3320	r3326
137	137	$directives[] = "report-uri ".DC_ADMIN_URL."csp_report.php";
138	138	}
139		$headers['csp'] = "Content-Security-Policy: ".implode(" ; ",$directives);
	139	$report_only = ($core->blog->settings->system->csp_admin_report_only) ? '-Report-Only' : '';
	140	$headers['csp'] = "Content-Security-Policy".$report_only.": ".implode(" ; ",$directives);
140	141	}
141	142	}

-                      r3324
+                      r3326
                // Remove the CSP report file from it's old place
                @unlink(DC_ROOT.'/admin/csp_report.txt');
+               # Some new settings should be initialized, prepare db queries
+               $strReq = 'INSERT INTO '.$core->prefix.'setting'.
+                         ' (setting_id,setting_ns,setting_value,setting_type,setting_label)'.
+                         ' VALUES(\'%s\',\'system\',\'%s\',\'%s\',\'%s\')';
+               $core->con->execute(
+                    sprintf($strReq,'csp_admin_report_only',false,'boolean','CSP Report only violations (admin)'));
+          }

Note: See TracChangeset for help on using the changeset viewer.