page: restrict security policy of base-src

author Mischa POSLAWSKY <perl@shiar.org>

Sun, 17 May 2020 00:40:31 +0000 (02:40 +0200)

committer Mischa POSLAWSKY <perl@shiar.org>

Sun, 17 May 2020 14:16:48 +0000 (16:16 +0200)
author Mischa POSLAWSKY <perl@shiar.org>
Sun, 17 May 2020 00:40:31 +0000 (02:40 +0200)
committer Mischa POSLAWSKY <perl@shiar.org>
Sun, 17 May 2020 14:16:48 +0000 (16:16 +0200)
diff --git a/page.php b/page.php

index dee5ee09d9a45edd821a30f7f0b5de63359bf408..93b705ff610ef837c2b78349ab1f871a2c9333ba 100644 (file)
--- a/page.php
+++ b/page.php
@@ -162,6 +162,7 @@ if ($PageAccess = $Article->restricted) {
  header(sprintf('Content-Security-Policy: %s', implode('; ', [
         "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
         "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+       "base-uri 'self'", # only local pages
         "frame-ancestors 'none'", # prevent malicious embedding
  ])));
author	Mischa POSLAWSKY <perl@shiar.org>
	Sun, 17 May 2020 00:40:31 +0000 (02:40 +0200)
committer	Mischa POSLAWSKY <perl@shiar.org>
	Sun, 17 May 2020 14:16:48 +0000 (16:16 +0200)