Improve Content-Security-Policy header

2013-08-05 19:21:37 -04:00 · 2013-08-05 19:21:37 -04:00 · a1f1ba8971
parent 5b4bbaa2d1
commit a1f1ba8971
2 changed files with 18 additions and 6 deletions
--- a/index.php
+++ b/index.php
@ -36,7 +36,7 @@ Router\before(function($action) {
    Response\csp(array(
        'media-src' => '*',
        'img-src' => '*',
-        'frame-src' => implode(' ', \PicoFeed\Filter::$iframe_whitelist)
+        'frame-src' => \PicoFeed\Filter::$iframe_whitelist
    ));

    Response\xframe();
--- a/vendor/PicoFarad/Response.php
+++ b/vendor/PicoFarad/Response.php
@ -99,18 +99,30 @@ function binary($data, $status_code = 200)
 function csp(array $policies = array())
 {
    $policies['default-src'] = "'self'";
+    $values = '';

-    foreach (array('X-WebKit-CSP', 'X-Content-Security-Policy', 'Content-Security-Policy') as $header) {
+    foreach ($policies as $policy => $hosts) {

-        $values = '';
+        if (is_array($hosts)) {

-        foreach ($policies as $policy => $hosts) {
+            $acl = '';

-            $values .= $policy.' '.$hosts.'; ';
+            foreach ($hosts as &$host) {
+
+                if ($host === '*' || $host === 'self' || strpos($host, 'http') === 0) {
+                    $acl .= $host.' ';
+                }
+            }
+        }
+        else {
+
+            $acl = $hosts;
        }

-        header($header.': '.$values);
+        $values .= $policy.' '.trim($acl).'; ';
    }
+
+    header('Content-Security-Policy: '.$values);
 }