Define current data usage to provide some protection from XSS attacks.
Allow for remaining scripts and images (editor script, gallery, some onclick
actions in user forms, inline svg) to be improved at a later time.
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+ "default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+ "img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+ "frame-ancestors 'none'", # prevent malicious embedding
+])));
ob_start(); # page body
$Place = [
ob_start(); # page body
$Place = [