From a1f1ba897102bd90445998a49ec107c6986169d9 Mon Sep 17 00:00:00 2001
From: Frederic Guillot <contact@fredericguillot.com>
Date: Mon, 5 Aug 2013 19:21:37 -0400
Subject: [PATCH] Improve Content-Security-Policy header

---
 index.php                     |  2 +-
 vendor/PicoFarad/Response.php | 22 +++++++++++++++++-----
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/index.php b/index.php
index 20756a7..b15c71d 100644
--- a/index.php
+++ b/index.php
@@ -36,7 +36,7 @@ Router\before(function($action) {
     Response\csp(array(
         'media-src' => '*',
         'img-src' => '*',
-        'frame-src' => implode(' ', \PicoFeed\Filter::$iframe_whitelist)
+        'frame-src' => \PicoFeed\Filter::$iframe_whitelist
     ));
 
     Response\xframe();
diff --git a/vendor/PicoFarad/Response.php b/vendor/PicoFarad/Response.php
index 3fd8389..dc54e01 100644
--- a/vendor/PicoFarad/Response.php
+++ b/vendor/PicoFarad/Response.php
@@ -99,18 +99,30 @@ function binary($data, $status_code = 200)
 function csp(array $policies = array())
 {
     $policies['default-src'] = "'self'";
+    $values = '';
 
-    foreach (array('X-WebKit-CSP', 'X-Content-Security-Policy', 'Content-Security-Policy') as $header) {
+    foreach ($policies as $policy => $hosts) {
 
-        $values = '';
+        if (is_array($hosts)) {
 
-        foreach ($policies as $policy => $hosts) {
+            $acl = '';
 
-            $values .= $policy.' '.$hosts.'; ';
+            foreach ($hosts as &$host) {
+
+                if ($host === '*' || $host === 'self' || strpos($host, 'http') === 0) {
+                    $acl .= $host.' ';
+                }
+            }
+        }
+        else {
+
+            $acl = $hosts;
         }
 
-        header($header.': '.$values);
+        $values .= $policy.' '.trim($acl).'; ';
     }
+
+    header('Content-Security-Policy: '.$values);
 }