From bc04734cdf01d9b2ac8a9b9558c4782e61086821 Mon Sep 17 00:00:00 2001
From: Mischa POSLAWSKY <perl@shiar.org>
Date: Sun, 17 May 2020 01:05:27 +0200
Subject: [PATCH] page: declare minimal security policy header

Define current data usage to provide some protection from XSS attacks.
Allow for remaining scripts and images (editor script, gallery, some onclick
actions in user forms, inline svg) to be improved at a later time.
---
 page.php | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/page.php b/page.php
index 3dd8cba..dee5ee0 100644
--- a/page.php
+++ b/page.php
@@ -159,7 +159,11 @@ if ($PageAccess = $Article->restricted) {
 
 # prepare page contents
 
-header("Content-Security-Policy: frame-ancestors 'none'");
+header(sprintf('Content-Security-Policy: %s', implode('; ', [
+	"default-src 'self' 'unsafe-inline' http://cdn.ckeditor.com", # some overrides remain
+	"img-src 'self' data: http://cdn.ckeditor.com", # inline svg (in css)
+	"frame-ancestors 'none'", # prevent malicious embedding
+])));
 
 ob_start(); # page body
 $Place = [
-- 
2.30.0