From: Mischa POSLAWSKY <perl@shiar.org>
Date: Sat, 16 May 2020 23:05:27 +0000 (+0200)
Subject: page: declare minimal security policy header
X-Git-Tag: v4.4~8
X-Git-Url: http://git.shiar.nl/minimedit.git/commitdiff_plain/bc04734cdf01d9b2ac8a9b9558c4782e61086821

page: declare minimal security policy header

Define current data usage to provide some protection from XSS attacks.
Allow for remaining scripts and images (editor script, gallery, some onclick
actions in user forms, inline svg) to be improved at a later time.
---

diff --git a/page.php b/page.php
index 3dd8cba..dee5ee0 100644
--- a/page.php
+++ b/page.php
@@ -159,7 +159,11 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+	"default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+	"img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+	"frame-ancestors 'none'", # prevent malicious embedding
+])));
 
 ob_start(); # page body
 $Place = [