Improve Content-Security-Policy header

index.php

@@ -36,7 +36,7 @@ Router\before(function($action) {
     Response\csp(array(
         'media-src' => '*',
         'img-src' => '*',
-        'frame-src' => implode(' ', \PicoFeed\Filter::$iframe_whitelist)
+        'frame-src' => \PicoFeed\Filter::$iframe_whitelist
     ));
 
     Response\xframe();

vendor/PicoFarad/Response.php

@@ -99,18 +99,30 @@ function binary($data, $status_code = 200)
 function csp(array $policies = array())
 {
     $policies['default-src'] = "'self'";
-
-    foreach (array('X-WebKit-CSP', 'X-Content-Security-Policy', 'Content-Security-Policy') as $header) {
-
     $values = '';
 
     foreach ($policies as $policy => $hosts) {
 
-            $values .= $policy.' '.$hosts.'; ';
+        if (is_array($hosts)) {
+
+            $acl = '';
+
+            foreach ($hosts as &$host) {
+
+                if ($host === '*' || $host === 'self' || strpos($host, 'http') === 0) {
+                    $acl .= $host.' ';
+                }
+            }
+        }
+        else {
+
+            $acl = $hosts;
         }
 
-        header($header.': '.$values);
+        $values .= $policy.' '.trim($acl).'; ';
     }
+
+    header('Content-Security-Policy: '.$values);
 }