git.shiar.nl / minimedit.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
page: declare minimal security policy header
[minimedit.git] / page.php
diff --git a/page.php b/page.php
index 3dd8cba7f290facb110232f0bbd2f105f95bdb33..dee5ee09d9a45edd821a30f7f0b5de63359bf408 100644 (file)
--- a/page.php
+++ b/page.php
@@ -159,7 +159,11 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+       "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+       "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+       "frame-ancestors 'none'", # prevent malicious embedding
+])));
 
 ob_start(); # page body
 $Place = [
MinimEdit - databaseless cms with only a bit of php