Define current data usage to provide some protection from XSS attacks.
Allow for remaining scripts and images (editor script, gallery, some onclick
actions in user forms, inline svg) to be improved at a later time.
# prepare page contents
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+ "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+ "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+ "frame-ancestors 'none'", # prevent malicious embedding
+])));
ob_start(); # page body
$Place = [