Improve Content-Security-Policy header

This commit is contained in:
Frederic Guillot 2013-08-05 19:21:37 -04:00
parent 5b4bbaa2d1
commit a1f1ba8971
2 changed files with 18 additions and 6 deletions

View File

@ -36,7 +36,7 @@ Router\before(function($action) {
Response\csp(array(
'media-src' => '*',
'img-src' => '*',
'frame-src' => implode(' ', \PicoFeed\Filter::$iframe_whitelist)
'frame-src' => \PicoFeed\Filter::$iframe_whitelist
));
Response\xframe();

View File

@ -99,18 +99,30 @@ function binary($data, $status_code = 200)
function csp(array $policies = array())
{
$policies['default-src'] = "'self'";
$values = '';
foreach (array('X-WebKit-CSP', 'X-Content-Security-Policy', 'Content-Security-Policy') as $header) {
foreach ($policies as $policy => $hosts) {
$values = '';
if (is_array($hosts)) {
foreach ($policies as $policy => $hosts) {
$acl = '';
$values .= $policy.' '.$hosts.'; ';
foreach ($hosts as &$host) {
if ($host === '*' || $host === 'self' || strpos($host, 'http') === 0) {
$acl .= $host.' ';
}
}
}
else {
$acl = $hosts;
}
header($header.': '.$values);
$values .= $policy.' '.trim($acl).'; ';
}
header('Content-Security-Policy: '.$values);
}