git.shiar.nl / minimedit.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 63c023f)
page: declare minimal security policy header
authorMischa POSLAWSKY <perl@shiar.org>
Sat, 16 May 2020 23:05:27 +0000 (01:05 +0200)
committerMischa POSLAWSKY <perl@shiar.org>
Sat, 16 May 2020 23:24:28 +0000 (01:24 +0200)
Define current data usage to provide some protection from XSS attacks.
Allow for remaining scripts and images (editor script, gallery, some onclick
actions in user forms, inline svg) to be improved at a later time.

page.php patch | blob | history

diff --git a/page.php b/page.php
index 3dd8cba7f290facb110232f0bbd2f105f95bdb33..dee5ee09d9a45edd821a30f7f0b5de63359bf408 100644 (file)
--- a/page.php
+++ b/page.php
@@ -159,7 +159,11 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+       "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+       "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+       "frame-ancestors 'none'", # prevent malicious embedding
+])));
 
 ob_start(); # page body
 $Place = [
MinimEdit - databaseless cms with only a bit of php